NAT outside source to a server internal
I worked on it for months and I'm still not able to get this working properly. What I want to accomplish is to allow Usablenet to connect to our staging web server from the internet with a range of IPs for Usablenet.
The strange thing is that this seems not correct
network web_staging_net object
NAT (web_staging, outside) dynamic interface
NAT (web_staging, outside) source static obj - static destination obj - 209.x.x.97 Useablenet Useablenet 10.x.x.197!
ACL
outside_in list extended access permitted tcp object-group Useablenet host 10.x.x.197 eq www
Any help will be greatly appreciated.
What is the configuration of the web_staging_net object? What is a subnet or a single host?
I recommend the creation of a host entry for 10.x.x.197 and remove static NAT entry of the other object.
Something like this:
network web_10.x.x.197 object
Home 10.x.x.197
NAT (web_staging, outside) static obj - 209.x.x.97
Tags: Cisco Security
Similar Questions
-
Need help! ASA 5505 not PPTP passthrough to the Server internal
Hello:
Recently, I add a new Cisco ASA 5505 like Firewall of the company network. I found that the PPTP authentication has not obtained through internal Microsoft Server. Any help and answer are appriciated.
Please see my setup as below. Thank you!
ASA Version 8.4 (3)
!
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 172.29.8.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 177.164.222.140 255.255.255.248
!
passive FTP mode
clock timezone GMT 0
DNS server-group DefaultDNS
domain ABCtech.com
permit same-security-traffic inter-interface
network obj_any object
172.29.8.0 subnet 255.255.255.0
service object RDP
source eq 3389 tcp service
Orange network object
Home 172.29.8.151
network of the WAN_173_164_222_138 object
Home 177.164.222.138
SMTP service object
tcp source eq smtp service
service object PPTP
tcp source eq pptp service
service of the JT_WWW object
tcp source eq www service
service of the JT_HTTPS object
tcp source eq https service
network obj_lex object
172.29.88.0 subnet 255.255.255.0
network of offices of Lexington Description
network obj_HQ object
172.29.8.0 subnet 255.255.255.0
guava network object
Home 172.29.8.3
service object L2TP
Service udp source 1701 eq
Standard access list VPN_Tunnel_User allow 172.29.8.0 255.255.255.0
Standard access list VPN_Tunnel_User allow 172.29.88.0 255.255.255.0
inside_access_in list extended access permit icmp any one
inside_access_in tcp extended access list deny any any eq 135
inside_access_in tcp extended access list refuse any eq 135 everything
inside_access_in list extended access deny udp any what eq 135 everything
inside_access_in list extended access deny udp any any eq 135
inside_access_in tcp extended access list deny any any eq 1591
inside_access_in tcp extended access list refuse any eq 1591 everything
inside_access_in list extended access deny udp any eq which 1591 everything
inside_access_in list extended access deny udp any any eq 1591
inside_access_in tcp extended access list deny any any eq 1214
inside_access_in tcp extended access list refuse any eq 1214 all
inside_access_in list extended access deny udp any any eq 1214
inside_access_in list extended access deny udp any what eq 1214 all
inside_access_in of access allowed any ip an extended list
inside_access_in list extended access permit tcp any any eq www
inside_access_in list extended access permit tcp any eq www everything
outside_access_in list extended access permit icmp any one
outside_access_in list extended access permit tcp any host 177.164.222.138 eq 3389
outside_access_in list extended access permit tcp any host 177.164.222.138 eq smtp
outside_access_in list extended access permit tcp any host 177.164.222.138 eq pptp
outside_access_in list extended access permit tcp any host 177.164.222.138 eq www
outside_access_in list extended access permit tcp any host 177.164.222.138 eq https
outside_access_in list extended access allowed grateful if any host 177.164.222.138
outside_access_in list extended access permit udp any host 177.164.222.138 eq 1701
outside_access_in of access allowed any ip an extended list
inside_access_out list extended access permit icmp any one
inside_access_out of access allowed any ip an extended list
access extensive list ip 172.29.8.0 outside_cryptomap allow 255.255.255.0 172.29.88.0 255.255.255.0
inside_in list extended access permit icmp any one
inside_in of access allowed any ip an extended list
inside_in list extended access udp allowed any any eq isakmp
inside_in list extended access udp allowed any isakmp eq everything
inside_in list extended access udp allowed a whole
inside_in list extended access permitted tcp a whole
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
local pool ABC_HQVPN_DHCP 172.29.8.210 - 172.29.8.230 255.255.255.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT static orange interface (inside, outside) source RDP RDP service
NAT (inside, outside) source obj_HQ destination obj_HQ static static obj_lex obj_
Lex-route search
NAT guava Shared source (internal, external) WAN_173_164_222_138 service JT_WWW JT_WWW
NAT guava Shared source (internal, external) WAN_173_164_222_138 service JT_HTTPS JT_HTTPS
NAT guava Shared source (internal, external) WAN_173_164_222_138 service RDP RDP
NAT guava Shared source (internal, external) WAN_173_164_222_138 SMTP SMTP service
NAT guava Shared source (internal, external) WAN_173_164_222_138 PPTP PPTP service
NAT guava Shared source (internal, external) WAN_173_164_222_138 service L2TP L2TP
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
inside_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
Route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol nt guava
AAA-server host 172.29.8.3 guava (inside)
Timeout 15
guava auth - NT domain controller
identity of the user by default-domain LOCAL
Enable http server
http 172.29.8.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_VPN_Set ikev1
Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_vpn_set ikev1
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto-map Dynamics 20 ikev1 transform-set Remote_VPN_Set set outside_dyn_map
Crypto-map dynamic outside_dyn_map 20 the value reverse-road
card crypto outside_map 1 match address outside_cryptomap
peer set card crypto outside_map 1 173.190.123.138
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA'RE
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet 192.168.1.0 255.255.255.0 inside
Telnet 172.29.8.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0dhcpd auto_config off vpnclient-wins-override
!
dhcprelay Server 172.29.8.3 on the inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
internal ABCtech_VPN group strategy
attributes of Group Policy ABCtech_VPN
value of server DNS 172.29.8.3
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_Tunnel_User
value by default-field ABCtech.local
internal GroupPolicy_10.8.8.1 group strategy
attributes of Group Policy GroupPolicy_10.8.8.1
VPN-tunnel-Protocol ikev1, ikev2
name of user who encrypted password eicyrfJBrqOaxQvS
tunnel-group 10.8.8.1 type ipsec-l2l
tunnel-group 10.8.8.1 General-attributes
Group - default policy - GroupPolicy_10.8.8.1
IPSec-attributes tunnel-group 10.8.8.1
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
tunnel-group ABCtech type remote access
attributes global-tunnel-group ABCtech
address ABC_HQVPN_DHCP pool
authentication-server-group guava
Group Policy - by default-ABCtech_VPN
IPSec-attributes tunnel-group ABCtech
IKEv1 pre-shared-key *.
tunnel-group 173.190.123.138 type ipsec-l2l
tunnel-group 173.190.123.138 General-attributes
Group - default policy - GroupPolicy_10.8.8.1
IPSec-attributes tunnel-group 173.190.123.138
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the pptp
inspect the ftp
inspect the netbios
!
172.29.8.3 SMTP server
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:6a26676668b742900360f924b4bc80de
: endHello Wayne,
The first thing I noticed
In the ACL you are pointing to the broad public while it should be to the private sector (YOU HAVE A PERMIT IP ANY ANY to the end, so it's not bad. FYI, if you decide to take this one any allowed ip address then you should point to private servers ip addresses)
Now, the policy where the PPTP inspection, etc., will be used is not applied to any service-policy so add:
global service-policy global_policy
Don't forget not just for a PPTP connection to get established we should see 2 things:
-Trading is done on the TCP 1723 port and then traded on Appreciate data packets.
Follow my blog for more information on this topic:
http://laguiadelnetworking.com/2012/12/22/what-is-new-on-the-PPTP-inspection-on-the-ASA/
Try and let me know
Julio
-
L2l VPN with NAT static to hide the IP internal on Cisco 1841 ISR
I configured a VPN L2L on a Cisco 1841 ISR. I'm statically from some of my internal hosts to IPS that are included in encrypted traffic. Please note that not all internal hosts are underway using a NAT. I am doing this for hidden some of the actual IP addresses on the inside network. I confirmed that the VPN works as well as natives of VPN traffic. I configured VPN L2L traditionally on the Cisco ASA 5500 Series devices, and this is my first attempt with HIA of 1841. I want just the other to take a glance to see if I missed something, or could I effectively part of the configuration. All comments are welcome.
VPN-RTR-01 #show run
Building configuration...Current configuration: 9316 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname VPN-RTR-01
!
boot-start-marker
boot-end-marker
!
! type map necessary for vwic/slot-slot 0/0 control
logging buffered 51200 warnings
no console logging
enable secret 5 xxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxx
!
No aaa new-model
IP cef
!
!
!
!
no ip domain search
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
!
!
Crypto pki trustpoint TP-self-signed-2010810276
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2010810276
revocation checking no
rsakeypair TP-self-signed-2010810276
!
!
TP-self-signed-2010810276 crypto pki certificate chain
certificate self-signed 01
30820246 308201AF A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 32303130 38313032 6174652D 3736301E 31393334 OF 30333131 170 3131
30365A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 30313038 65642D
31303237 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100C3FF F5EADA3B BCB06873 5577DB24 2AD8ECBB 00D53F1A 37342E2E 5CC9202A
7F128E51 016CD6EC D8734F4D 28BE8B0A FCD6B714 8D13585B 7844C09C 79BA8F13
B75E4E98 25D91F02 A4773F66 83407A8B 85447 64 A6889DD9 6085857F 737F8A9F
749F4297 8804C4F3 D28A6C33 F4137BBE 67F9B945 F239789E 1303AD6D DB98B7E2
52B 50203 010001 HAS 3 1 130101 FF040530 030101FF 30190603 0F060355 6E306C30
551 1104 12301082 0E535458 2D56504E 2 525452 2 303130 1 230418 1F060355 D
3B 232987 30168014 2CBB9DD0 B34B7243 7F8095C8 7AFBEFE3 301D 0603 551D0E04
1604143B 2329872C BB9DD0B3 4B72437F 8095C87A FBEFE330 0D06092A 864886F7
010104 05000381 8100A 831 8E05114A DE8AF6C5 4CB45914 36B6427C 42B30F07 0D
C5C47BC9 0110BCAA A985CB3F 5CBB855B B12D3225 B8021234 86D1952C 655071E4
66C18F42 F84492A9 835DE884 341B3A95 A3CED4E8 F37E7609 88F52640 741D74D2
37842 D 39 E5F2B208 0D4D57E1 C5633DEB ACDFC897 7D50683D 05B5FDAA E42714B4
DD29E815 E9F90877 4 D 68
quit smoking
username privilege 15 password 7 xxxxxxxxxxxxxxx lhocin
username privilege 15 password 7 xxxxxxxxxxxxxxx jsmith
!
!
!
!
crypto ISAKMP policy 5
BA aes 256
preshared authentication
Group 2
lifetime 28800
xxxxxxxxxxxxxxx key address 172.21.0.1 crypto ISAKMP xauth No.
!
!
Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
!
card crypto SITES REMOTE VPN-ipsec-isakmp 1
defined by peer 172.21.0.1
game of transformation-ESP-AES256-SHA
match address VPN-REMOTE-SITE
!
!
!
interface FastEthernet0/0
no ip address
automatic speed
full-duplex
No mop enabled
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
!
interface FastEthernet0/0.2
Description $FW_INSIDE$
encapsulation dot1Q 61
IP 10.1.0.34 255.255.255.224
IP access-group 100 to
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/0.3
Description $FW_OUTSIDE$
encapsulation dot1Q 111
IP 172.20.32.17 255.255.255.224
IP access-group 101 in
Check IP unicast reverse path
NAT outside IP
IP virtual-reassembly
crypto VPN-REMOTE-SITE map
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 172.20.32.1
IP route 10.16.0.0 255.255.0.0 10.1.0.33
IP route 10.19.0.0 255.255.0.0 10.1.0.33
IP route 10.191.0.0 255.255.0.0 10.1.0.33
IP route 10.192.0.0 255.255.0.0 10.1.0.33
IP route 192.168.20.48 255.255.255.240 10.1.0.33
!
!
IP http server
local IP http authentication
IP http secure server
IP http timeout policy inactive 600 life 86400 request 10000
IP nat inside source map route NO_NAT interface FastEthernet0/0.3 overload
IP nat inside source static 10.191.0.11 192.168.20.54 STATIC_NAT_7 card expandable route
IP nat inside source static 10.191.0.12 192.168.20.55 STATIC_NAT_8 card expandable route
IP nat inside source static 10.192.1.1 192.168.20.56 STATIC_NAT_1 card expandable route
IP nat inside source static 10.192.1.2 192.168.20.57 STATIC_NAT_2 card expandable route
IP nat inside source static 10.192.1.3 192.168.20.58 STATIC_NAT_3 card expandable route
IP nat inside source static 10.192.1.4 192.168.20.59 STATIC_NAT_4 card expandable route
IP nat inside source static 10.192.1.5 192.168.20.61 STATIC_NAT_5 card expandable route
IP nat inside source static 10.16.1.6 192.168.20.62 STATIC_NAT_6 card expandable route
!
VPN-REMOTE-SITE extended IP access list
IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.39
IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.40
inside_nat_static_1 extended IP access list
permit ip host 10.192.1.1 10.174.52.39
permit ip host 10.192.1.1 10.174.52.40
refuse an entire ip
inside_nat_static_2 extended IP access list
permit ip host 10.192.1.2 10.174.52.39
permit ip host 10.192.1.2 10.174.52.40
refuse an entire ip
inside_nat_static_3 extended IP access list
permit ip host 10.192.1.3 10.174.52.39
permit ip host 10.192.1.3 10.174.52.40
refuse an entire ip
inside_nat_static_4 extended IP access list
permit ip host 10.192.1.4 10.174.52.39
permit ip host 10.192.1.4 10.174.52.40
refuse an entire ip
inside_nat_static_5 extended IP access list
permit ip host 10.192.1.5 10.174.52.39
permit ip host 10.192.1.5 10.174.52.40
refuse an entire ip
inside_nat_static_6 extended IP access list
permit ip host 10.16.1.6 10.174.52.39
permit ip host 10.16.1.6 10.174.52.40
refuse an entire ip
inside_nat_static_7 extended IP access list
permit ip host 10.191.0.11 10.174.52.39
permit ip host 10.191.0.11 10.174.52.40
refuse an entire ip
inside_nat_static_8 extended IP access list
permit ip host 10.191.0.12 10.174.52.39
permit ip host 10.191.0.12 10.174.52.40
refuse an entire ip
!
access-list 100 remark self-generated by the configuration of the firewall SDM
Access-list 100 = 1 SDM_ACL category note
access-list 100 deny ip 172.20.32.0 0.0.0.31 all
access-list 100 deny ip 255.255.255.255 host everything
access-list 100 deny ip 127.0.0.0 0.255.255.255 everything
access ip-list 100 permit a whole
Remark SDM_ACL category of access list 101 = 17
access-list 101 permit udp any host 192.168.20.62
access-list 101 permit tcp any host 192.168.20.62
access-list 101 permit udp any host 192.168.20.61
access-list 101 permit tcp any host 192.168.20.61
access-list 101 permit udp any host 192.168.20.59
access-list 101 permit tcp any host 192.168.20.59
access-list 101 permit udp any host 192.168.20.58
access-list 101 permit tcp any host 192.168.20.58
access-list 101 permit udp any host 192.168.20.57
access-list 101 permit tcp any host 192.168.20.57
access-list 101 permit udp any host 192.168.20.56
access-list 101 permit tcp any host 192.168.20.56
access-list 101 permit udp any host 192.168.20.55
access-list 101 permit tcp any host 192.168.20.55
access-list 101 permit udp any host 192.168.20.54
access-list 101 permit tcp any host 192.168.20.54
access-list 101 permit ip 10.174.52.40 host 192.168.20.48 0.0.0.15
access-list 101 permit ip 10.174.52.39 host 192.168.20.48 0.0.0.15
access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq non500-isakmp
access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq isakmp
access-list 101 permit esp 172.21.0.1 host 172.20.32.17
access-list 101 permit ahp host 172.21.0.1 172.20.32.17
access-list 101 permit icmp any host 172.20.32.17 - response
access-list 101 permit icmp any host 172.20.32.17 time limit
access-list 101 permit icmp any unreachable host 172.20.32.17
access-list 101 permit udp any host isakmp 172.20.32.17 newspaper eq
access-list 101 permit udp any host 172.20.32.17 eq non500-isakmp
access-list 101 permit tcp any host 172.20.32.17 eq 443
access-list 101 permit tcp any host 172.20.32.17 eq 22
access-list 101 permit tcp any host 172.20.32.17 eq cmd
access-list 101 deny ip 10.1.0.32 0.0.0.31 all
access-list 101 deny ip 10.0.0.0 0.255.255.255 everything
access-list 101 deny ip 172.16.0.0 0.15.255.255 all
access-list 101 deny ip 192.168.0.0 0.0.255.255 everything
access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
access-list 101 deny ip 255.255.255.255 host everything
access-list 101 deny host ip 0.0.0.0 everything
access-list 101 deny ip any any newspaper
access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.40
access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.39
access-list 102 permit ip 10.1.0.32 0.0.0.31 all
!
allowed NO_NAT 1 route map
corresponds to the IP 102
!
STATIC_NAT_8 allowed 10 route map
inside_nat_static_8 match ip address
!
STATIC_NAT_5 allowed 10 route map
inside_nat_static_5 match ip address
!
STATIC_NAT_4 allowed 10 route map
inside_nat_static_4 match ip address
!
STATIC_NAT_7 allowed 10 route map
inside_nat_static_7 match ip address
!
STATIC_NAT_6 allowed 10 route map
inside_nat_static_6 match ip address
!
STATIC_NAT_1 allowed 10 route map
inside_nat_static_1 match ip address
!
STATIC_NAT_3 allowed 10 route map
inside_nat_static_3 match ip address
!
STATIC_NAT_2 allowed 10 route map
inside_nat_static_2 match ip address
!
!
!
control plan
!
!
!
Line con 0
exec-timeout 30 0
line to 0
line vty 0 4
privilege level 15
local connection
transport input telnet ssh
line vty 5 15
privilege level 15
local connection
transport input telnet ssh
!
Scheduler allocate 20000 1000
endVPN-RTR-01 #.
Hello
Configuration looks ok to me.
yet you can cross-reference with the following link:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080223a59.shtml
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.
-
NAT problem for the Web server
I have configured the new cisco asa 5512. I can't access our Web site from outside. We host our internal site
This is how I configured. Internal IP of the Web server is 192.168.1.19
in the following config, I changed my public ip of the webserver to 99.99.99.99
Can someone help me with this.the Web server object networkHome 192.168.1.19NAT 99.99.99.99 static (inside, outside)NAT (inside, outside) interface static tcp www www serviceoutside_access_in tcp allowed access list any object Webserver eq wwwAccess-group outside_access_in in interface outsideIt is not open by default, but you already enabled.
Remember that all you need is a translation you have:
object network Webserver host 192.168.1.19 nat (inside,outside) static 99.99.99.99
And the list of access allowing access to desired ports:
access-list outside_access_in permit tcp any object Webserver eq www access-list outside_access_in permit tcp any object Webserver eq 8080 access-group outside_access_in in interface outside
-
2600 NAT outside public to private inside addresses
I would like to put servers with private addresses at disposal of guests (with public addresses) on the other side a router. Can someone give me a pointer?
TIA
you want to configure static NAT.
Suppose that 10.10.1.5 is the server inside and 193.234.211.12 is your free external IP. Joanie configure this line:
' ip nat inside source static 10.10.1.5 193.234.211.12.
And all those who will have access to the external IP address will go to internal (static nat)
see you soon
Robert
-
I don't know if it can be made to work or not, or if it's a mutually excluded NAT configuration that is not possible, but I have a 5520 ASA to my site central office with a fiber of 20Mbps Internet streams and two remote offices with ASA 5505 devices connected via DSL or cable modem and have finally got from Site to Site "spoke" VPN upward tunnels and run with the ability to route traffic to through a 'hairpin turn' speak-to-Spoke on the Hub Site 5520.
I have desktop PC at each remote site speaks A & B that need to communicate directly with them to support a small group of work-style of the software point of sale that is actually hosted on a remote site A PC.
PC on two remote sites must also be able to communicate with a credit card processing by the public Internet service, and I wish have the ASA 5505 units in each block of remote office as all traffic directly NAT'ed from each respective out on the local LAN PC straight Internet above each site cable modem or DSL modem. I want to force these PCs need to NAT their Internet-destination back through the ASA 5520 traffic located at the Home Office, on the VPN tunnels. In other words, I want the cable modem and DSL connections to route traffic strictly VPN encrypted to the Home Office and also behave like routers NAT for the local PC it.
I can kill the 5505 prevents NAT for PCS in remote offices simply removing the rule dynamic NAT factory default for 'everything', but then I can't understand how to get my 5520 central to perform NAT which required of the remote PCs to talk to their service of Internet credit card processor without breaking the configs "NAT-free" necessary for VPN traffic to spoke-to-spoke to work. If I'm trying to put an entry static or dynamic NAT for a remote desktop on my 5520 ASA central, it breaks the VPN tunnel so that PC specific.
Is that what I want to accomplish even possible with the ASA?
Hi Neal,
Yes, it's quite possible! below is a loss of things you need to do:
(1) make sure of course on both the 5505 s of the ASA, you send ALL traffic from the local network through the VPN.
(2) as Andrew mentioned, have the 'same-security-traffic permit intra-interface' command on the ASA 5520.
(3) you do not have to have a configured proxy server, but it is also a good solution. But to make it work without her, assuming that the ASA 5505 remote subnets 192.168.1.0/24 and 192.168.2.0/24, add the config lines below to the ASA 5520:
NAT (outside) 1 192.168.1.0 255.255.255.0
NAT (outside) 1 192.168.2.0 255.255.255.0
Global 1 interface (outside)
Please note that 1 id, and the interface can be replaced according to the configuration you already have in place in the ASA 5520.
I don't know what kind of NAT exemptions are at the origin of the questions for you, but if you can put a sanitized one of your ASA 5505 and ASA 5520 config, I can make suggestions concerning the exact configuration.
Let me know if it helps!
Thank you and best regards,
Assia
-
can not display the webpage error something about the Server internal and 500 are down for maintenance? Yahoo search option and can get to Web site but trying to post comments online and get this message. tried to restart and got the same answer. Just set Windows to update when I logged on tonight.
Hi ginnypierson,
Thanks for posting in the Microsoft community.
I understand that you are facing the issue with can not display the webpage and you are wrong about 500 and internal server being down for maintenance.
Before you start the troubleshooting steps, I need the information required
1. what web browser do you use?
2. have you made any changes to the computer?
3. this problem occurs only with the particular website?
Method 1:
If you use Internet explorer, I suggest you to see link and check.
Get help with the Web site (HTTP error) error messages.
http://Windows.Microsoft.com/en-us/Windows-Vista/get-help-with-website-error-messages-HTTP-errors
Method 2:
I suggest you to see link and check.
How to optimize Internet Explorer
http://support.Microsoft.com/kb/936213/ro
WARNING: Reset Internet Explorer settings can reset security settings or privacy settings that you have added to the list of Trusted Sites. Reset the Internet Explorer settings can also reset parental control settings. We recommend that you note these sites before you use the reset Internet Explorer settings
Please follow these recommended steps, review the additional information provided and after back if you still experience the issue. I will be happy to provide you with additional options available that you can use to get this resolved.
-
Cannot create the data source to SQL Server
Hi people,
I am running IIS, Windows XP SP3, SQL Express 2005, Trial Version of ColdFusion 9 (no patches).
The administrator using ColdFusion, when I try to create a data source for SQLExpress 2005 (SQL Server Express), by using the SQL Server driver, I get the following error:
Connection verification failed for data source: AMT
java.sql.SQLException: [Macromedia] [SQLServer JDBC Driver] the requested instance is not valid or is not running.
The root cause was that: java.sql.SQLException: [Macromedia] [SQLServer JDBC Driver] the requested instance is not valid or is not running.The "instance", which I interpret as meaning the database instance, is "machinename\SQLExpress" (it is a so-called "named instance"). That's what I enter in the "Server" field of the display (data & Services-> sources-> Microsoft SQL Server).
However, I am able to create an ODBC data source name in Windows using the driver Microsoft SQL Server Native Client Version 09.00.3042 and the same instance, "machinename\SQLExpress".
Does anyone have any ideas as to what is wrong?
Try to use the domain name TCP/IP (or IP address) and port instead of the info of the connectivity of Windows style. You may need to enable TCP/IP as a network on the DB server protocol well (I think it is disabled by default on SQL Express Ed).
--
Adam
-
PIX 501 problems with the web server internal.
I want to open for my internal Web server, so it can be accessed from outside and I read about it here and how to do it and I do what I think of his right, but I can´t operate.
Now I just tried to open the http port standard 80 but later I want to open a specific port and also use SSL on the web server for added security.
Then I would like my setup now get help and also how to do when using other ports and SSL later.
Thanks Thomas!
6.3 (1) version PIX
interface ethernet0 10baset
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
alfta hostname
domain ciscopix.com
names of
name 192.168.1.16 TerminalPC
name 192.168.3.0 Lager
permit 192.168.1.0 ip access list inside_nat0_outbound 255.255.255.0 192.168.2.0 255.255.255.0
permit 192.168.1.0 ip access list inside_nat0_outbound 255.255.255.0 255.255.255.0 Lager
permit 192.168.1.0 ip access list outside_cryptomap_20 255.255.255.0 192.168.2.0 255.255.255.0
permit 192.168.1.0 ip access list outside_cryptomap_40 255.255.255.0 255.255.255.0 Lager
outside_cryptomap_60 ip access list allow
192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
outside_access_in tcp allowed access list all eq www
host 62.108.197.90 eq www
IP outdoor 62.108.197.90 255.255.255.192
IP address inside 192.168.1.254 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
location of PDM 62.108.197.10 255.255.255.255 outside
location of PDM 62.108.197.11 255.255.255.255 outside
location of PDM 192.168.1.0 255.255.255.255 inside
location of PDM TerminalPC 255.255.255.255 inside
location of PDM 192.168.2.0 255.255.255.0 outside
location of PDM Lager 255.255.255.0 outside
location of PDM 192.168.2.0 255.255.255.0 inside
location of PDM 62.108.197.137 255.255.255.255 outside
location of PDM 62.108.197.137 255.255.255.255 inside
location of PDM 195.67.210.72 255.255.255.255 outside
location of PDM 62.108.197.90 255.255.255.255 inside
PDM logging 100 information
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside, outside) tcp 62.108.197.90 www TerminalPC www netmask 255.255.255.255 0 0
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 62.108.197.65 1
Enable http server
http 62.108.197.10 255.255.255.255 outside
http 62.108.197.11 255.255.255.255 outside
http 195.67.210.72 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 62.108.197.137 255.255.255.255 inside
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set esp strong - esp-sha-hmac
outside_map 20 ipsec-isakmp crypto map
card crypto outside_map 20 match address outside_cryptomap_20
peer set card crypto outside_map 20 195.198.46.88
outside_map card crypto 20 the transform-set ESP-DES-MD5 value
outside_map 40 ipsec-isakmp crypto map
card crypto outside_map 40 correspondence address outside_cryptomap_40
peer set card crypto outside_map 40 62.108.197.137
outside_map card crypto 40 the transform-set ESP-DES-MD5 value
outside_map 60 ipsec-isakmp crypto map
card crypto outside_map 60 match address outside_cryptomap_60
peer set card crypto outside_map 60 195.198.46.88
card crypto outside_map 60 the transform-set ESP-DES-MD5 value
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 62.108.197.137 netmask 255.255.255.255
ISAKMP key * address 195.198.46.88 netmask 255.255.255.255
part of pre authentication ISAKMP policy 10
encryption of ISAKMP policy 10
ISAKMP policy 10 sha hash
10 1 ISAKMP policy group
ISAKMP life duration strategy 10 86400
part of pre authentication ISAKMP policy 20
encryption of ISAKMP policy 20
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
Telnet 192.168.1.0 255.255.255.255 inside
Get out your ACL - access-list outside_access_in permit tcp any host 62.108.197.90 eq www
And a new application:
outside_access_in list access permit tcp any host 62.108.197.90 eq www
Access-group outside_access_in in interface outside
* You have the group-access above on your original configuration message, BUT not on the above post.
Don't forget to issue clear xlate after the change and also record with write mem.
Try to do this in the pix CLI instead of using PDM.
Hope this helps and let me know how you go.
Jay
-
How to view the mail server internal to the secondary address.
Peace,
I have a wan with 3 addresses interface, and I have an internal e-mail server. When I send emails from the mail server it appears to the world as primary I address we will tell to x.y.z.67. I want it to appear in the secondary address x.y.z.68. How to do this?
I already have a nat static port 25 110, 995, and several others, but which allows only when mail is sent to the mail server is not when sending mail from the mail server.
any help?
I did a quick laboratory with this and then forgot to post back :-)
It was on an emulator, but I couldn't make it work.
I tried to create a pool NAT using the secondary IP to the e-mail server to use, but it did not work.
And there is no way to say IOS you want to overload the mail to a secondary IP address server IP IE. It overloads only on the primary IP on the interface.
The only thing I can think right now is a NAT one to one between the real mail IP server and the secondary IP address, but this requires that you do not use the secondary IP address for port redirects to other servers.
Is there a reason that it should be a secondary IP address IE. IOS will always be NAT, even if the IP address is not assigned to the interface.
Jon
-
HI -.
I hope someone can advise me if this scenario is possible.
Here's my situation. I just installed a second WAN link and a border router additional ISPs to double-House using BGP. To facilitate the management, we will use one of the 2 24 we control now, however one that we will use later, the new block comes from the second ISP, which means of course go through a change of ip address.
I try to avoid a plan where I have to change all the public IP addresses on a weekend, due to the amount of the different VPN and other specific IP connections than other organizations have with us, while I was trying to plan a gradual passage.
I have a single 515 (6.3) for outbound traffic, and add another is not possible for about 6 months (lease is expected to return for the time in which we will go to the ASA). Finally addresses outside the firewall will be a single/24 network, but in the meantime, I would use the two lines (using NAT) on the firewall.
By design, the GW for the firewall is currently concert port on the original router. This router is using the static routes for the trafficking of exit and entry to our ASN, but the newly installed router is using BGP. Before I turn BGP on the original router, I have a show a connection between the two and I want to implement based on routing strategies to define all traffic from the new/24 range with a next hop for the new router BGP running.
I tried yesterday, and I had no connectivity even ping on the edge router using this new set of IP addresses. Is it possible to implement these two ranges of IPs for NAT on the firewall and have the two lines at the same gateway IP address.
I know it's probably confused, so if you need clarification in any field, let me know.
Thanks for your help.
I don't see why it would not work as long as you have control of the config of the outside PIX next hop router. Set up the first subnet as usual, then get your second subnet at IP of PIX. Implement the NATs on PIX as you wish. On the gateway router you need to establish routing strategy (map of the itinerary) so that it uses an ACL to look at the source IP address coming from the PIX, routes an ISP, second rate would vary other ISPS.
-
I get the following error message when you try to access one of my hotmail accounts:
Internal Server Error - read the server has encountered an internal error or misconfiguration and was unable to respond to your request. Reference #3.269102cc.1330033628.4ef0aa7f.What is this error and how to fix it?Thanks EllieI get the same message... must be a problem with hotmail.
-
Authentication Server internal
Hello, this my three times I post the same problem on the authentication of the VPN 3000, but so far I didn't return or mail
Maybe the ones I'm more clearly than others.
Go ahead. Go ahead...
I have a VPN with PPTP VPN Tunnel 3000 and is the first option of authentication on the Radius Server:
Configuration > system > server > authentication is first the Radius Server and after internal (internal authentication on the Base Group)
But when I configure a user in User Management > user is not work. I think the order of authentication is first the RADIUS and if it does not find the second option is treated as (this case) is internal to the server. but don't meet the error in the log is:
00:00:08.550 44 04/20/2011-SEV = 3 RPT AUTH/5 = 137 187.55.63.215
Authentication was rejected: reason = authentication failure
manage = 299, Server = (none), user = x 1, area =00:00:08.550 04/20/2011 46, SEV = 5 PPP/9 RPT = 135 187.55.63.215
User [x 1]
disconnected (MSCHAP VERSION-2) authentication failure...How is the behavior of the VPN 3000 when the server (this case a RADIUS) first of all do not be find? the second, that it is processed?
I'm doing the second option to treat?
I thank.
You can lock the user radius to a specific strategy as follows:
http://www.Cisco.com/en/us/Tech/tk59/technologies_configuration_example09186a00800946a2.shtml
Alternatively, you can also assign the IP address of the radius server, the next option to enable this feature:
(select: use the address of the authentication server)
Then you need your radius server to assign ip addresses to users.
-
I am trying to configure a tunnel linking our Cisco 5520 with a 5550 using one of our external ips through that tunnel natted. For some reason any traffic that should knock this tunnel through global NAT. Here are the configs I have for this tunnel:
access list policy-nat extended permit ip host 66.77.88.170 1.2.3.4
Outside_cryptomap_60 list extended access allowed inside-network host 255.255.254.0 ip 1.2.3.4
permit Outside_cryptomap_60 to access extended list ip host 66.85.99.170 1.2.3.4
Global (1 66.77.88.135 255.255.255.192 subnet mask outside)
public static 66.77.88.170 (inside, outside) - list of access policy-nat
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANSFORM_SET
crypto Outside_map 60 card matches the address Outside_cryptomap_60
card crypto Outside_map 60 set peer 200.200.200.200
card crypto Outside_map 60 the transform-set TRANSFORM_SET value
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 General attributes
Group Policy - by default-site2site
IPSec-attributes tunnel-group 200.200.200.200
pre-shared key *.
If I ping 1.2.3.4 from an inside host ip I see in the newspapers that he uses 66.77.88.136 as the NAT and not of 66.77.88.170. Do you see something wrong with this configuration?
You have fundamentally wrong ACL in the wrong places.
It should be as follows--->
crypto Outside_map 60 card matches the address policy-nat
card crypto Outside_map 60 set peer 200.200.200.200
card crypto Outside_map 60 the transform-set TRANSFORM_SET value
access list policy-nat extended permit ip host 66.77.88.170 1.2.3.4
public static 66.77.88.170 (inside, outside) - Outside_cryptomap_60 access list
Outside_cryptomap_60 list extended access allowed inside-network ip 255.255.254.0 host 1.2.3.4---> this acl has no need of the 2nd line, you have
-
Deployment via a server internal; stand-alone installers needed
Hi all..
I'm new to the creative cloud thing. I'm trying to set up an internal update server so that our users do not have to go to the internet to receive updates CC. I hit a roadblock here, installation/deployment guide:
"When you create a product installation folder, one of the first things you do is point AAMEE to product .
install file for the product you purchased on or you are product packaging point. The Application
Manager of scans this folder and presents you with a list of the applications and components that can be
installed, from which you make your choices. »
My question: where I can find these? To my knowledge, there is no stand-alone installer for the CC apps.
Thank you in advance!
Marc
Too bad... I realize that JOHN is only for the pre-Creative cloud software.
Maybe you are looking for
-
What is support Bravo on wired headset microphone?
Just got a Bravo a week ago. Love it so far (with the exception of the mediocre camera). I was looking to buy a set of IEMs with a microphone. Research on the Meelectronics website, he showed not the Bravo on list of supported devices. Did anyone tri
-
Batteries in the keyboard CCAI12LP2950T7
Help! I'm sure that my batteries are dead because my keyboard randomly stops responding or wordsalad types, but I can't get the battery cover off. Can someone tell me how to do? Thank you!
-
Programmatically change the name of the value axis on a second value axis
Hello, I mixed graph signal on which I'm traced two signals. I created a second value axis, while I have one left and right of the graph. I am interested in the designation of the value on both axis and were able to appoint only the HR one by using
-
Hello I'm trying to find out what my number of laptop motherboard. There is no label at all. There are A6-3410MX of CPU and GPU 6755 (6750M G). In the service manual there two MB which correspond to my spec: 650854-001 (chipset A70M) and 650851-001 (
-
How can I disable the track stick on the keyboard?
There is a button in the center of the keyboard and I continue to hit when I type and lose my place. Makes me crazy!