NAT on the VPN traffic

Hello everyone, I need help in a vpn configuration, this is the problem that I need nat all vpn traffic because I net to put into place a vpn but I already have another vpn with the same network, so that overlap with the new one, then how I can nat overlaps all traffic to another network in order to avoid the network?.

Please I really need help

Thank you

You say that the 192.168.1.100 is able to go through the tunnel and the internet now?

Try to add another...

IP nat inside source static 192.168.1.101 10.10.44.101 map route VPN

for example.

Federico.

Tags: Cisco Security

Similar Questions

Cisco IOS - how config static nat to NAT on the VPN

Hello world

I need help.

I configured a VPN site-to site between two routers IOS. One of the routers already had a static NAT (172.16.100.1 inside to the public IP address), but this static NAT prevents remote VPN hosts access to the 172.16.100.1 home as it tries to the response to public IP NAT router configured.

Does anyone know how to use static NAT for the inside to the outside, but don't not NAT inside to outside VPN traffic?

I know how to make using a roadmap for "overload" dynamic NAT, but I can't? t see how you can use a roadmap on the static NAT statement.

You can provide any help would be appreciated.

Chris

Hi Chris

Take a look at the document atatched with gives a few examples of the very thing you are trying to do.

http://www.Cisco.com/en/us/products/SW/iosswrel/ps1839/products_feature_guide09186a0080087bac.html

HTH

Jon

VPN-filer configuration on the VPN traffic

Hello world

We set up a site to ipsec with the seller.

For security reasons we do not want to allow all traffic through the tunnel.

ASA has 2 interfaces both inside and outside.

We refuse any one on the external interface ip.

I have config vpn run ACL to allow traffic on port ssh, icmp through the tunnel.

Then I applied it under the group policy.

name of VPN-filter value.

Need to confirm that I must also allow ipec protocols as esp etc under VPN filter ACL?

Concerning

MAhesh

The vpn-filter is applied to the traffic flowing through the tunnel. You don't need to allow all traffic that 'built' like IKE and IPsec VPN.

On the SAA, you must also add this traffic to your external ACL is it necessary on IOS routers.

For the vpn-filter, be aware that the syntax is not
```
permit/deny PROTOCOL SOURCE DESTINATION
```
It's
```
permit/deny PROTOCOL REMOTE LOCAL
```
This is relevant when you want to filter traffic from your network to the network of peers.

I can NAT before the VPN Tunnel?

Hello

I want to add servers in a configuration in ipsec tunnel site to another for transportation.

However, I have to NAT these machines for the presentation of the other side.

For a Cisco 1760 (vpn termination point) running on 12.3 code, is it possible?

If it's possible, could I get a link to a config? Or maybe an excerpt here?

We use two interfaces ethernet for this:

Ethernet1/0 is inside

ethernet0/0 is outside

Can't seem to find any documentation for it.

Thank you

Paul

It is "NAT order of operation" used by Cisco devices, it seems that NAT is anyway before the crypto control

http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Concerning

Farrukh

How to configure the vpn using two segments in a tunnel?

Hi guys,.

Please help me how to set up two segment in a vpn tunnel. Our client has two segments which is 10.15 and 192.168. We have already established VPN connectivity. We can ping the 10.15 segment, but we can not ping 192.168. Attached is the sample configuration.

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

ISAKMP crypto key xxxxxx address 11.11.11.11

!

86400 seconds, duration of life crypto ipsec security association

!

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

!

map SDM_CMAP_1 1 ipsec-isakmp crypto

Tunnel description

defined peer 11.11.11.11

Set security-association second life 28800

game of transformation-ESP-3DES-SHA

match address 102

access-list 101 deny ip 192.168.202.0 0.0.0.255 host 10.15.0.177

access-list 101 deny ip 192.168.202.0 0.0.0.255 host 192.168.30.174

access-list 101 permit ip 192.168.202.0 0.0.0.255 any

access-list 102 permit ip 192.168.202.0 0.0.0.255 host 10.15.0.178

access-list 102 permit ip 192.168.202.0 0.0.0.255 host 192.168.30.174

Here is the extended ping.

Router #ping

Protocol [ip]:

Target IP address: 10.15.0.177

Number of repetitions [5]:

Size of datagram [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or the interface: 192.168.202.3

Type of service [0]:

Set the DF bit in the IP header? [None]:

Validate the response data? [None]:

Data model [0xABCD]:

In bulk, Strict, Record, Timestamp, Verbose [no]:

Scan the range of sizes [n]:

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 10.15.0.177, wait time is 2 seconds:

Packet sent with a source address of 192.168.202.3

.!!!!

Success rate is 80% (4/5), round-trip min/avg/max = 172/172/172 ms

Router #ping

Protocol [ip]:

Target IP address: 192.168.30.174

Number of repetitions [5]:

Size of datagram [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or the interface: 192.168.202.3

Type of service [0]:

Set the DF bit in the IP header? [None]:

Validate the response data
? [None]:
Data model [0xABCD]:

In bulk, Strict, Record, Timestamp, Verbose [no]:

Scan the range of sizes [n]:

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 192.168.30.174, wait time is 2 seconds:

Packet sent with a source address of 192.168.202.3

.....

Success rate is 0% (0/5)

And here is the result of its crypto isakmp.

Crypto ISAKMP router #show its

status of DST CBC State conn-id slot

11.11.11.11 22.22.22.22 QM_IDLE 1 0 ACTIVE

And here is the encryption session.

Router #show crypto sessio

Session encryption router #show

Current state of the session crypto

Interface: FastEthernet0/0

The session state: UP-ACTIVE

Peer: 11.11.11.11 port 500

FLOW IPSEC: allowed host 192.168.202.0/255.255.255.0 ip 192.168.30.174

Active sAs: 2, origin: card crypto

FLOW IPSEC: allowed host 192.168.202.0/255.255.255.0 ip 10.15.0.177

Active sAs: 2, origin: card crypto

And here are the details of the encryption session.

Router #show crypto session detail

Current state of the session crypto

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - KeepAlive, N - NAT-traversal, X - IKE extended authentication

Interface: FastEthernet0/0

The session state: UP-ACTIVE

Peer: 11.11.11.11 port fvrf 500: (none) ivrf: (none)

Phase1_id: 11.11.11.11

DESC: (none)

IKE SA: local 22.22.22.22/500 remote 11.11.11.11/500 Active

Capabilities: (None) connid:1 life time: 23:44:02

FLOW IPSEC: allowed host 192.168.202.0/255.255.255.0 ip 192.168.30.174

Active sAs: 2, origin: card crypto

On arrival: dec #pkts'ed drop 0 0 life (KB/s) 4568454/27867

Outbound: #pkts enc'ed 4 drop 1 life (KB/s) 4568453/27867

FLOW IPSEC: allowed host 192.168.202.0/255.255.255.0 ip 10.15.0.177

Active sAs: 2, origin: card crypto

On arrival: #pkts dec' 8 drop 0 ed life (KB/s) 4591368/27842

Outbound: #pkts enc'ed 8 drop 2 life (KB/s) 4591368/27842

Hello

Your side has 192.168.202.0/24 and you are trying to PING 10.15 successfully but not 192.168.30.174

Check that the ASA has a route to 192.168.30.174 pointing to the external interface.

Also check that the customer has defined the 192.168.30.174 as part of the VPN traffic correctly.

Federico.

Is it still possible? Customer VPN traffic through a PIX for an another VPN?

Hi, I just want to know if the following is actually technically possible? I'm starting to think I'm trying to implement a solution that is simply not possible.

I have the following:

VPN<->CiscoPix506e<->Cisco3000 Clients

VPN clients running an IPSEC VPN for the 506th Cisco PIX and can access its "internal network" very well.

The Cisco pix is running a VPN to another company where all network traffic is nat'ed to a single address IP RFC1918 before coming out of the tunnel (requirement of the other company to avoid the problems of overlap)

and everyone on the "internal network" can access this great VPN.

I want that people who use the VPN client to be able to access the other site-to-site VPN. I think that NAT forced to the external company VPN is a problem.

All of the examples for VPN VPN cross-I see specify NAT should be disabled on the entire path. I can't do it in this situation. Is it possible to make this work?

I guess with a good statement of ACL that all my problems will be solved.

If you just get the users connect to the cisco 3000 rather than transversing my network. I don't have for the following reasons. I have no access to the cisco 3000 vpn concentrator and a very limited amount of the tunnels that they can open for my business. I was instructed to implement a solution to facilitate the life of employees (so that they only run a VPN tunnel at a time to do their work). For the moment, they need access to the systems within our corporate network and external society through the site to site VPN (it's actually a web application). They can do this at the office but obviously not home if they attempt to use remote access.

I have attached a diagram of the network example PDF explaining the situation.

Networks of each address is the following (change of the actual address of the innocents :))):

CLIENTS_VPN

192.168.10.0/24

Internal network

192.168.1.0/24

External VPN end point

192.168.20.0/24

Address used for NAT on the VPN

172.16.1.1/32

the IOS config

local IP pool - 192.168.10.1 VPN CLIENTS - 192.168.10.254

inside ip access list allow a whole

access-list allowed SHEEP ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access list permits EXTERNAL-ACL-VPN ip 172.16.1.1 host 192.168.20.0 255.255.255.0

EXTERNAL-ACL-NAT of the list of permitted access ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

IP address outside a.b.c.d 255.255.255.0

IP address inside 192.168.10.1 255.255.255.0

Global interface 2 (external)

Global (outside) 1 172.16.1.1

NAT (inside) 0 access-list SHEEP

NAT (inside) - EXTERNAL-ACL-1 NAT access list 0 0

NAT (inside) 2 0.0.0.0 0.0.0.0 0 0

outside access-group in external interface

Route outside 0.0.0.0 0.0.0.0 a.b.c.d 1

Thank you

Jason.

I understand from your description of the scenario, you try to route traffic on the same interface on which it was received on the PIX. This is called pinning hair in traffic and is not currently supported in PIX (6.3).

Œuvres ping for the VPN ASA5505 RDP does not work?

I have an ASA5505 VPN remote access facility

I have a server connected directly behind the ASA and I can ping the server without problem.

The reports being encrypted and decrypted packets VPN client

However when I try to RDP to the server packages encyrpted keep incrementing but the decrypted packets are not.

I also do not see all RDP traffic hit the server (checked by ethereal)

I did a packet trace and it succeeds, but ends with a parody of IP which I believe is correct as is the vpn traffic and not actually be encrypted.

This is the correction of the RDP session, I'm confused by one ICMP denied on line 2 that I am able to ping the server?

% ASA-6-302013: built of TCP connections incoming 88193 for external:172.16.24.4/50984 (172.16.24.4/50984) at internal:192.168.100.146/3389 (192.168.100.146/3389) (roger_ssl)

% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.146: no matching session

% ASA-609001 7: built internal local-host: 192.168.100.37

% ASA-6-302015: built connection UDP incoming 88194 for external:172.16.24.4/50620 (172.16.24.4/50620) at internal:192.168.100.37/53 (192.168.100.37/53) (roger_ssl)

% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session

% ASA-6-302015: built connection UDP incoming 88195 for external:172.16.24.4/64598 (172.16.24.4/64598) at internal:192.168.100.37/53 (192.168.100.37/53) (roger_ssl)

% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session

% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session

% 302014-6-ASA: disassembly of the TCP connection 88193 for external:172.16.24.4/50984 to internal:192.168.100.146/3389 duration 0: bytes of 00:00 0 flow closed by inspection (roger_ssl)

I have that configured NAT

NAT (internal, external) static source 192.168.100.0 192.168.100.0 static destination VPN_172 VPN_172

The only logical bit that is closed by the inspection flow? Is this to say that the server has not responded?

And decrypt packets increase not when trying to RDP

Does this mean anyting to anyone that I have arrived at the end of my knowledge of the SAA on this one!

Thank you

Roger

Answer is based on your other thread:

https://supportforums.Cisco.com/thread/2207372

VPN traffic via a secondary access provider

Hello world

I have been asked by a client to implement this topology:

where:

ISP 1 is used as primary internet connection.

2 ISP will be used to connect remote users by IPsec VPN.

Currently, I'm not looking for the Active/Backup feature, I need to know if I can use both ISP connections (as I've written before) an ISP for the Internet company and the other for the user remote access VPN.

I read some post where, said, it's possible, but I want to be sure.

Kind regards

Jose

ASA must add the static route in the routing table automatically when the VPN client is connected. So, in general, you don't need to do anything. But if not, you can just manually configure who will forward a VPN client IP packet to ISP2.

With respect to NAT, in general, VPN traffic must ignore the NAT. You can use "nat (inside_interface_name) 0-list of access ' with an ACL that define the vpn traffic to do so.

Interpret what is allowed on the VPN tunnel

Hello

I work with Cisco PIX equipment for the first time and I'm trying to understand what is allowed on one of the VPN tunnels which are established on the PIX.

I interpret this PIX did by reading the running configuration. I was able to understand most of it (with the help of the cisco site), so I'm starting to get comfortable with it. I'm looking for more help in the interpretation of what is allowed by a good VPN tunnel. Here are some details:

map Cyril 2 ipsec-isakmp crypto

Cyril 2 crypto card matches the acl-vpntalk address

access list acl-vpntalk allowed ip object-group my_inside_network 172.17.144.0 255.255.255.0

So, if I interpret it correctly, then the traffic matching ACL acl-vpntalk will go on the VPN tunnel.

As far as the lists others access dedicated, my inner interface I have:

Access-group acl-Interior interface inside

With ACL-Interior:

access list acl-Interior ip allow a whole

So nothing complicated there.

Now, just because of all this I conclude I encouraged all remote network traffic in my site. If all traffic 172.17.144.0/24 is allowed to join my network.

However, I don't know if this conclusion is correct.

This ACL is also applied:

Access-group acl-outside in external interface

And it looks like:

deny access list acl-outside ip a

I'm not sure if this ACL applies to vehicles coming from the IPSEC peer. It's for sure inbound on the external interface, but if it is valid for the IPSEC traffic I don't know.

If it is valid, then am I had reason to conclude that only connections initiated from my inside network to the remote control can come back?

Thanks in advance for your ideas.

With sincere friendships.

Kevin

Hey Kevin,

Here are my comments, hope you find them useful:

1. the ACL called "acl-vpntalk" sets traffic who will visit the IPSec tunnel, so you got that right. All traffic from the group called "my_inside_network" will 172.17.144.0/24 will pass through the tunnel, and there should be a similar to the other VPN end opposite ACL.

2. the 'acl-inside' applied to the inside interface allows any ip traffic coming out of the isnide to any destination.

3. the 'acl-outside' rejects all traffic from entering your home network, but the IPSec traffic is free and will cross because you will find a "sysopt connection permit-ipsec' configured on your PIX command that tells the operating system to allow all traffic destined for VPN tunnels without explicitly enabling it through the inbound ACL. If you have stopped the "sysopt" should stop your traffic and you will have more control on your tunnel traffic.

Personally, I usually disable the "sysopt" and control the VPN traffic in my incoming ACL.

Just a quick note, if you look more deeply into the ACL on the PIX functionality, you will find that no traffic moves inside, if she is not allowed on the external interface. For example, you can allow traffic between "inside" and "dmz" interfaces by adding an entry 'allow' on one of the ACLS applied to one of these interfaces. But when you want to allow traffic from the external interface (security level 0), you will need to allow in the inbound ACL applied on the external interface.

I could have written something vague, but I hope you get my point.

Thank you.

Salem.

Split of static traffic between the VPN and NAT

Hi all

We have a VPN from Site to Site that secures all traffic to and from 10.160.8.0/24 to/from 10.0.0.0/8. It's for everything - including Internet traffic. However, there is one exception (of course)...

The part that I can't make it work is if traffic comes from the VPN (10.0.0.0/8) of 10.160.8.5 (on 80 or 443), then the return traffic must go back through the VPN. BUT, if traffic 80 or 443 comes from anywhere else (Internet via X.X.X.X which translates to 10.160.8.5), so there need to be translated réécrirait Internet via Gig2.

I have the following Setup (tried to have just the neccessarry lines)...

interface GigabitEthernet2

address IP Y.Y.Y.Y 255.255.255.0! the X.X.X.X and Y.Y.Y.Y are in the same subnet

address IP X.X.X.X 255.255.255.0 secondary

NAT outside IP

card crypto ipsec-map-S2S

interface GigabitEthernet4.2020

Description 2020

encapsulation dot1Q 2020

IP 10.160.8.1 255.255.255.0

IP nat inside

IP virtual-reassembly

IP nat inside source list interface NAT-output GigabitEthernet2 overload

IP nat inside source static tcp 10.160.8.5 80 80 X.X.X.X map route No. - NAT extensible

IP nat inside source static tcp 10.160.8.5 443 443 X.X.X.X map route No. - NAT extensible

NAT-outgoing extended IP access list

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

permit tcp host 10.160.8.5 all eq www

permit tcp host 10.160.8.5 any eq 443

No. - NAT extended IP access list

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

allow an ip

route No. - NAT allowed 10 map

corresponds to the IP no. - NAT

With the above configuration, we can get to the Internet 10.160.8.5, but cannot cross it over the VPN tunnel (from 10.200.0.0/16). If I remove the two commands «ip nat inside source static...» ', then the opposite that happens - I can get then to 10.160.8.5 it VPN tunnel but I now can't get to it from the Internet.

How can I get both? It seems that when I hit the first NAT instruction (overload Gig2) that 'decline' in the list of ACL-NAT-outgoing punts me out of this statement of NAT. It can process the following statement of NAT (one of the 'ip nat inside source static... ") but does not seem to"deny"it in the NON - NAT ACL me punt out of this statement of NAT. That's my theory anyway (maybe something is happening?)

If this work like that or I understand something correctly? It's on a router Cisco's Cloud Services (CSR 1000v).

Thank you!

Your netmask is bad for your 10.0.0.0/8. I worry not about the port/protocol or since that can screw you up. A better way to do it would be to deny all IP vpn traffic.

NAT-outgoing extended IP access list

deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

...

No. - NAT extended IP access list

deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

allow an ip

Doc:

Router to router IPSec with NAT and Cisco Secure VPN Client overload

Thank you

Brendan

Tunnel VPN L2L with NATTing will not allow traffic which will be initiated by spoke to the hub.

Traffic from internal hosts will NAT address works ok, but what speaks tests it traffic never connects.

get the 10.1.12.232 NAT host would be 172.27.63.133 and past through the VPN tunnel to 10.24.4.65 without problem. However when 10.24.4.65 tries to ping or connect to 172.27.63.133 traffic does not make inside host 10.1.12.232

ASA-1 #.
!
network object obj - 172.27.73.0
172.27.73.0 subnet 255.255.255.0
network object obj - 172.27.63.0
172.27.63.0 subnet 255.255.255.0
network object obj - 10.1.0.0
10.1.0.0 subnet 255.255.0.0
network object obj - 10.24.4.64
subnet 10.24.4.64 255.255.255.224
network object obj - 172.27.73.0 - 172.27.73.255
range 172.27.73.0 172.27.73.255
the object of the 10.0.0.0 network
subnet 10.0.0.0 255.0.0.0
network object obj - 24.173.237.212
Home 24.173.237.212
network object obj - 10.1.12.232
Home 10.1.12.232
network object obj - 172.27.63.133
Home 172.27.63.133
the DM_INLINE_NETWORK_9 object-group network
object-network 10.0.0.0 255.255.255.0
object-network 10.0.11.0 255.255.255.0
object-network 10.0.100.0 255.255.255.0
object-network 10.0.101.0 255.255.255.0
object-network 10.0.102.0 255.255.255.0
object-network 10.0.103.0 255.255.255.0
the DM_INLINE_NETWORK_16 object-group network
object-network 10.1.11.0 255.255.255.0
object-network 10.1.12.0 255.255.255.0
object-network 10.1.13.0 255.255.255.0
object-network 10.1.3.0 255.255.255.0
!
outside_1_cryptomap list extended access permitted ip object-group DM_INLINE_NETWORK_16-group of objects DM_INLINE_NETWORK_9
access extensive list ip 172.27.73.0 outside_8_cryptomap allow 255.255.255.0 10.24.4.64 255.255.255.224
access extensive list ip 172.27.63.0 outside_8_cryptomap allow 255.255.255.0 10.24.4.64 255.255.255.224
!
list of allowed outside access extended ip 10.24.4.64 255.255.255.224 172.27.63.0 255.255.255.0
list of allowed outside access extended ip 10.24.4.64 255.255.255.224 10.1.0.0 255.255.0.0
list of allowed outside access extended ip 172.27.63.0 255.255.255.0 10.1.0.0 255.255.0.0
!
NAT (inside, all) source static obj - 172.27.73.0 obj - 172.27.73.0 destination static obj - 10.24.4.64 obj - 10.24.4.64 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 172.27.63.0 obj - 172.27.63.0 destination static obj - 10.24.4.64 obj - 10.24.4.64 no-proxy-arp-search to itinerary
NAT (inside, outside) source dynamic obj - 10.66.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.70.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.96.228.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.96.229.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 192.168.5.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.75.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.11.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source static obj - 10.1.3.37 obj - 10.71.0.37 destination static obj - 50.84.209.140 obj - 50.84.209.140
NAT (inside, outside) source static obj - 10.1.3.38 obj - 10.71.0.38 destination static obj - 50.84.209.140 obj - 50.84.209.140
NAT (inside, outside) source static obj - 10.1.12.232 obj - 172.27.63.133 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.1.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
!
NAT (exterior, Interior) source static obj - 10.24.4.64 obj - 10.24.4.64 destination static obj - 172.27.63.133 obj - 10.1.12.232
NAT (outside, outside) source static obj - 10.24.4.64 obj - 10.24.4.64 destination static obj - 172.27.63.133 obj - 10.1.12.232

the object of the 10.0.0.0 network
NAT (inside, outside) dynamic obj - 24.173.237.212
!
NAT (VendorDMZ, outside) the after-service automatic source dynamic obj - 192.168.13.0 obj - 24.173.237.212
outside access-group in external interface
Route outside 0.0.0.0 0.0.0.0 24.173.237.209 1
Route inside 10.1.0.0 255.255.0.0 10.1.10.1 1
Route inside 10.2.1.0 255.255.255.248 10.1.10.1 1
!
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-DH2-esp-3des esp-sha-hmac
Crypto ipsec pmtu aging infinite - the security association
!
card crypto GEMed 8 corresponds to the address outside_8_cryptomap
card crypto GEMed 8 set peer 64.245.57.4
card crypto GEMed 8 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-MD5
GEMed outside crypto map interface
!
: end
ASA-1 #.

Hello

First of all, I would like to remove these two lines because they do nothing productive
```
nat (outside,inside) source static obj-10.24.4.64 obj-10.24.4.64 destination static obj-172.27.63.133 obj-10.1.12.232nat (outside,outside) source static obj-10.24.4.64 obj-10.24.4.64 destination static obj-172.27.63.133 obj-10.1.12.232
```
Then, I was running packet - trace to see what NAT rule actually hit you.
```
packet-tracer input inside 10.1.12.232 12345 10.24.4.65 12345
```

Traffic to the VPN router IOS NAT tunnel

I need to configure a VPN tunnel that NATs traffic above him. I have already established VPN tunnels and NAT traffic. I did this on a concentrator VPN and ASA, but have seen some places where people say is not possible on a router or I saw real hard evidence that it is. For example, I use a Cisco 2801 router with 12.4(8a) and advanced security. This can be quite difficult as the subnet / vlan that we need NAT needs to pass normal traffic on other VPN tunnels and using a NAT on the Internet directly. Y does it have, any restrictions on it as the IOS version, being a router itself, NAT configuration. Any help is greatly appreciated.

Hi James,

NAT VPN traffic, you can like you do with ASAs on IOS routers.

If you do, it is that you create an ACL to set traffic to be coordinated, apply the ACL to a NAT rule and a condition that NAT statement with a roadmap to occur only when the traffic will be sent through the tunnel.

Federico.

interesting question of the vpn site to site NAT/PAT traffic config

I have an ASA 8.4.2 running code and am just checking the Site to site configs before migration of tunnel. more precisely if the NAT/PAT and ACL is correct. Phase 1 is already defined and work, as well as cryptographic maps and tunnel groups.

When you set the traffic interesting in the ACL are you using NAT or the real IP? The order of the ACL is correct?

First of all:

The vedor network is a 192.168.1.10 and must be coordinated to 10.1.0.2
```
name 5.6.7.8 VendorName object-group network VendorName-R network-object host 192.168.1.10 object-group network VendorName-NAT-R network-object host 10.1.0.2 object-group network VendorName-L network-object host 10.1.1.3 access-list VendorName-crypto extended permit ip object-group VendorName-L object-group VendorName-NAT-R nat (inside,outside) 1 source static VendorName-L VendorName-NAT-R destination static VendorName-R VendorName-R
```
Second:

Sellers network is 192.168.1.0 to 192.168.2.0, these must be PATed 10.1.0.2 and 10.1.0.3

192.168.1.20 and 168.1.21 must be staticly using a NAT 10.1.0.4 and 10.1.0.5

Name the SupplierName 5.6.7.8

object-group network VendorName-R-1

network-object subnet 192.168.1.0 255.255.255.0

object-group network VendorName-R-2

network-object subnet 192.168.2.0 255.255.255.0

object-group network VendorName-R-3

network-object host 192.168.1.20

object-group network VendorName-R-4

network-object host 192.168.1.21

object-group network VendorName-NAT-R-1

network-object host 10.1.0.2

object-group network VendorName-NAT-R-2

network-object host 10.1.0.3

object-group network VendorName-NAT-R-3

network-object host 10.1.0.4

object-group network VendorName-NAT-R-4

network-object host 10.1.0.5

object-group network VendorName-R

network-object VendorName-NAT-R-1

network-object VendorName-NAT-R-2

network-object VendorName-NAT-R-3

network-object VendorName-NAT-R-4

object-group network VendorName-L

network-object host 10.1.1.3

the object-Network 10.1.1.6 host

VendorName-crypto allowed extended ip access-list object-VendorName-L Group VendorName-R

NAT (inside, outside) 1 dynamic source VendorName-l VendorName-NAT-R-1 static destination VendorName-R-1 VendorName-R-1

NAT (inside, outside) 1 dynamic source VendorName-l VendorName-NAT-R-2 static destination VendorName-R-2 VendorName-R-2

NAT (inside, outside) 1 static source VendorName-l VendorName-NAT-R-3 of destination VendorName-R-3 static VendorName-R-3

NAT (inside, outside) 1 static source VendorName-l VendorName-NAT-R-4 static destination VendorName-R-4 VendorName-R-4

Your valuable traffic acl MUST be the IP NAT address.

IP NAT on the router on SSL - VPN appliance

Someone at - it allows to transmit 443/SSL on a SSL VPN Cisco 891 - K9 unit?

(I have never encountered this situation before as the router VPN terminated public face directly or we had several IPs public to assign the VPN device directly a public IP address).

With ' ip nat inside source static tcp 44.55.66.255 443 10.10.10.150 443 extensible "is supposed to pass the SSL request to the appliance SSL VPN to 10.10.10.150 to have VPN applications ended here.

But failed miserably body 891 - K9 created a virtual ARP entry for 10.10.10.150. So two MACs with the same IP address.

So 443 requests were sent to its interface. At the hearing of NAT, I can't ssh inside SSL - VPN, but by the time the statemet disappeared, I can ssh and warning dupliacte ARP goes.

* 1 Nov 19:22:46.871: % IP-4-DUPADDR: duplicate address 10.10.10.150 on Vlan10, a source of aaaa.bbbb.cccc
* 1 Nov 19:23:18.083: % IP-4-DUPADDR: duplicate address 10.10.10.150 on Vlan10, a source of aaaa.bbbb.cccc
* 1 Nov 19:23:48.295: % IP-4-DUPADDR: duplicate address 10.10.10.150 on Vlan10, a source of aaaa.bbbb.cccc
RTR #sh clock
* 19:24:26.487 UTC Sunday, November 1, 2015
RTR #sh ip arp 10.10.10.150
Protocol of age (min) address Addr Type Interface equipment
Internet 10.10.10.150 - e02f.6d96.8dd0 ARPA Vlan10
RTR #sh ip arp 10.10.10.150
Protocol of age (min) address Addr Type Interface equipment
Internet 10.10.10.150 - e02f.6d96.8dd0 ARPA Vlan10
RTR #sh sh ip route 10.10.10.150

Cisco TAC to reproduce this problem at the moment to report dev.

Does anyone else have this problem or a workaround?

Thank you.

I may be misunderstanding but isn't your NAT statement backwards IE. If you want traffic to pass to 10.10.10.150 it shouldn't be-

' ip nat inside source static tcp 10.10.10.150 43 43 44.55.66.25x.

isn't the device for SSL connection on interface 'ip nat inside '?

Jon

Cannot ping inside the vpn client hosts. It's a NAT problem

Hello everyone, I'm running into what seems to be a cause of exclusion with an IOS IPSEC VPN NAT/nat. I can connect to the VPN with cisco IPSEC VPN client, and I am able to authenticate. Once I have authenticate, I'm not able to reach one of the guests inside. Below is my relevant config. Any help would be greatly appreciated.

AAA new-model

!

!

AAA authentication login default local

radius of group AAA authentication login userauthen

AAA authorization exec default local

AAA authorization groupauthor LAN

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

!

ISAKMP crypto client configuration group businessVPN

key xxxxxx

DNS 192.168.10.2

business.local field

pool vpnpool

ACL 108

Crypto isakmp VPNclient profile

businessVPN group identity match

client authentication list userauthen

ISAKMP authorization list groupauthor

client configuration address respond

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

Define VPNclient isakmp-profile

market arriere-route

!

!

10 ipsec-isakmp crypto map clientmap Dynamics dynmap

interface Loopback0

IP 10.1.10.2 255.255.255.252

no ip redirection

no ip unreachable

no ip proxy-arp

IP virtual-reassembly

!

Null0 interface

no ip unreachable

!

interface FastEthernet0/0

IP 111.111.111.138 255.255.255.252

IP access-group outside_in in

no ip redirection

no ip unreachable

no ip proxy-arp

NAT outside IP

inspect the outgoing IP outside

IP virtual-reassembly

automatic duplex

automatic speed

clientmap card crypto

!

the integrated-Service-Engine0/0 interface

description Locator is initialized with default IMAP group

IP unnumbered Loopback0

no ip redirection

no ip unreachable

no ip proxy-arp

IP virtual-reassembly

ip address of service-module 10.1.10.1 255.255.255.252

Service-module ip default gateway - 10.1.10.2

interface BVI1

IP 192.168.10.1 255.255.255.0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

IP virtual-reassembly

IP nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25

IP nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443

IP nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389

IP nat inside source map route nat interface FastEthernet0/0 overload

nat extended IP access list

deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255

refuse the 10.1.1.0 ip 0.0.0.255 192.168.109.0 0.0.0.255

ip licensing 10.1.1.0 0.0.0.255 any

permit ip 192.168.10.0 0.0.0.255 any

sheep extended IP access list

permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255

ip permit 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255

ip licensing 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255

outside_in extended IP access list

permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp

permit any any eq 443 tcp

permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389

permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22

allow any host 111.111.111.138 esp

allow any host 111.111.111.138 eq isakmp udp

allow any host 111.111.111.138 eq non500-isakmp udp

allow any host 111.111.111.138 ahp

allow accord any host 111.111.111.138

access-list 108 allow ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255

!

!

!

!

route nat allowed 10 map

match ip address nat

1 channel ip bridge

In my view, the acl applied to customer is back. It must allow traffic from the internal network to the pool of customers.

To confirm, you can open the Cisco VPN client statistics (after login) then go in the route Details tab. We should see the networks you should be able to reach the customer. Make sure that the good ones are here.

Kind regards

NAT on the VPN traffic

Similar Questions

Maybe you are looking for