NAT + question ACB

Hi all!

I find no error on mine. Why no ping from PC1 to R2?
When I ping from R2 to PC1, reached ping PC1 and on the way back he losts inside the R1.
PC1 (s:192.168.02 d: 77.77.77.78) package it receives by R1 Fa0/1 (out) according to ACB passes to the Loopback0 (en)
and disappears (debug), even if the package should be translated (s:192.168.0.2-> s:77.77.77.77) and forwarded to 77.77.77.78 through Fa0/1 (out).

Where I'm wrong?
Regime is in the attachment.

Best regards, Alexey.

Good morning, Alex.

I did the same topology in lab environment.

Please add the following sentence to the route map to make your task of work:

access-list 101 permit ip 192.168.0.2 host 77.77.77.78

access-list 102 permit ip host 77.77.77.78 192.168.0.2

Nat-loop allowed 10 route map
corresponds to the IP 101

set ip next-hop 4.4.4.2

route Nat allowed 20 map
address for correspondence ip 102

set ip next-hop 4.4.4.2

Please, see my previous response. I tried to write some explonations.

Tags: Cisco Network

Similar Questions

  • Static NAT question

    Hi Experts,

    Please help me on this. I enclose my diagram network with this post.
    My firewall is cisco ASA 5510 running with version 8.4 of software. I set up static NAT for all three servers (in the diagram, server 1,2 and 3). The question is, the static NAT works only with the first server. No trades do go to other two server (2 and 3). All servers are in the DMZ.

    When I remove the static NAT for Server 2 and 3, all traffic going to the server with the IP WAN address of the firewall, which means that the dynamic NAT works. I am also attaching the configuration file.

    (NOTE: NAT works for the 72.16.34.1 Server)

    Kind regards
    Martin

    HI San,

    Would you be able to try this workaround: -.

    https://supportforums.Cisco.com/blog/149276/asapix-proxy-ARP-vs-gratuito...

    I think the problem is with the IP addresses provided by the ISP.

    Thank you and best regards,

    Maryse Amrodia

  • Cisco ASA Site to Site VPN IPSEC and NAT question

    Hi people,

    I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

    ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

    Just an example:

    N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

    The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

    It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

    Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

    Grateful if someone can shed some light on this subject.

    Hello

    OK so went with the old format of NAT configuration

    It seems to me that you could do the following:

    • Configure the ASA1 with static NAT strategy

      • access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
      • public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
    • Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
    • If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
    • ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
      • Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
      • the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
      • NAT (inside) 0-list of access to the INTERIOR-SHEEP
    • You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
      • ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
      • ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0

    I could test this configuration to work tomorrow but I would like to know if it works.

    Please rate if this was helpful

    -Jouni

  • outside NAT question

    I created an external NAT for my pc to allow internal users to access my pc in my domain name. But because of the domain name is not configured yet, I can only test the outside NAT by referring to my external IP address. For example, my pc has ip internal 10.10.10.11, external ip 82.1.1.11. I have a static nat 10.10.10.11 value 82.1.1.11, also affect a foreign 82.1.1.11 nat 10.10.10.11. My pc has established access list rules to allow external access to my port 80 and 8080. However, when I type http://82.1.1.11/sitename/ to access one of my site, I can't. If I change the url to refer to my internal ip address, the site is displayed correctly.

    Is there something I need to put in place to make it work?

    Thank you

    Pls see below:

    "To access an address of dnat_ip alias with the static control instructions and access-list, specify the address of dnat_ip in the statement of access-list command as the address which traffic is allowed to. The following example illustrates this point.

    alias (inside) 192.168.201.1 209.165.201.1 255.255.255.255

    static (inside, outside) 209.165.201.1 192.168.201.1 netmask 255.255.255.255

    access-list acl_out permit tcp host 192.168.201.1 host 209.165.201.1 eq ftp - data

    Access-group acl_out in interface outside.

    http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_62/cmdref/AB.htm

  • ASA 5520 IPSec NAT question

    I like more than 150 of VPN on my ASA 5520.  A specific customer, with that I'll put up a VPN has an overlap of two of the intellectual property, it must reach from its internal network.  It is NATing 10.251.11.177 internal network traffic to my ASA presents itself as 10.251.11.177 of the 10.251.11.176/29 network.  Now the two IP of its internal network, it must reach are 10.1.254.200 and 10.1.254.201.

    Thus, following the documentation on the site Web of Cisco I'm doing Policy Based Routing on the ASA 5520 (my thesis) so that its traffic will 1.1.1.1 and 1.1.1.2 instead of 10.1.254.200 and 10.1.254.201.  Once it reaches my ASA 5520 it gets back to these IP tranlated.

    I am using the following configuration, but when I try to add static entries, it won't let me add them.  I even tried "static 1.1.1.1 (exterior, Interior) POLICYNAT of the access list" with the ACL in reverse but no use.

    object-group, network VPN-map

    network-object host 1.1.1.1

    network-object host 1.1.1.2

    !

    POLICYNAT list extended access allowed host ip 10.1.254.200 10.251.11.176 255.255.255.248

    POLICYNAT list extended access allowed host ip 10.1.254.201 10.251.11.176 255.255.255.248

    !

    static (inside, outside) 1.1.1.1 access-list POLICYNAT

    public static (inside, outside) 1.1.1.2 - POLICYNAT access list

    Try breaking the IPs in two ACL

    POLICYNAT1 list extended access allowed host ip 10.1.254.200 10.251.11.176 255.255.255.248

    POLICYNAT2 list extended access allowed host ip 10.1.254.201 10.251.11.176 255.255.255.248

    !

    static (inside, outside) 1.1.1.1 access-list POLICYNAT1

    public static (inside, outside) 1.1.1.2 - POLICYNAT2 access list

    HTH

    GE

  • Question about the issue of the Double NAT...

    Hah I posted for a little.  I have a question about Double NAT.  Is it wise to launch?  Reason why is that I have a WRT54G v6 router and the Zoom ADSL X 4 Modem/Router/gateway and it seems that sites take just a little more time to respond to Web sites.  I just want to know I have to turn off (i.e., go in with my router bridge Mode) or what.  Or leave it alone.  Now one last thing: that the problem of slow could actually be AT & T but I have the feeling that this isn't.

    What configuration options you have on the Zyxel to fill? What have you tried exactly?

    The basis for the first option is:

    * Bridged Zyxel.

    * Linksys configured for PPPoE with your user name and password for the internet connection.

    Instructions to fill the Zyxel are here or here depending on the exact model of Zyxel.

    The second option is:

    * Zyxel doing business as the router. I assume here that the Zyxel is on 10.0.0.2 with a subnet mask 255.255.255.0.

    Unplug the Linksys to the Zyxel. Connect a computer to the Linksys. Open the web interface of the WRT to http://192.168.1.1/

    On the main Setup page:

    1. change the LAN IP of 192.168.1.1 address 10.0.0.1.

    2 disable the DHCP server.

    3. save the settings. You will lose the connection. Unplug the computer.

    4. wire one of the numbered LAN ports of the Linksys for the Zyxel. Do not use the internet port of Linksys!

    Now you should be able to open the Linksys web interface to http://10.0.0.1/ all devices connected wireless of Linksys or connected to one of the three LAN ports must have a connection to the internet via the Zyxel.

  • Question for NAT exemption

    I have an ASA 5545 X 9.6 1 code running, and I had a question regarding NAT exemptions for Anyconnect VPN client.

    When I initially configured the Anyconnect VPN, I did the usual steps: created a local customer pool, authentication, customer software image and exemptions of NAT using the new syntax. Example of

    NAT (inside, outside) static source PROD-PROD-NETWORKS static destination VPN CLIENT VPN CLIENT POOL no-proxy-arp-route search

    I also have an ACL of VPN clients.

    Then I added a network in the ACL, added a route on the network of the SAA, but I forgot to put this network in the group that the above (PROD-NETWORKS). In other words, I forgot to make an exemption nat for this new network.

    But customers were still able to connect to the new network without derogation.

    If something has changed? Is - it is no longer necessary? How is this even work?

    Hi Colin,

    Well usually NAT exemption is necessary 9.X code introduced the volatile PAT PAT and multisession feature, the feature of p. - session is enabled by default and is allowed for better scalability, this feature also is not a timeout which means that you can have more & than multisession (translations of PAT in the course of a single IP address) , this now to return to the initial request, let´s, remember that a dynamic NAT is not bidirectional, so you're from the VPN client to the IP address of the client, and it is allowed. This is (is there an object configured for the internet that must be put in correspondence of NAT?), what line # is the exemption of NAT in? What happens if you delete the exemption of NAT, or place as line 1?

    Because you are specifying NAT exemption is still being offset, it seems somehow just, but if you see it in the prospect that the dynamic NAT is one-way for internal hosts, and the current flow rate seems to be: VPN user accesses the SAA and this is allowed because it is a VPN traffic and "Sysopt connection permit-vpn" allows traffic and while he has not matched NAT (right here should the free equivalent of) NAT, if it isn't, it is does not match any other NAT for the host 'outside') then just traffic continues to go to the internal host (path Session Management), then the answer must match this stream via the (Fast Path flow), obviously the package is the encapsulated and encrypted and vice versa as well.

    Keep me posted!

    Please note and mark it as correct the helpful post!

    David Castro,

  • On the Question of VPN S2S source NAT

    Currently we have a number of implementation of VPN with various clients.  We are NAT'ing range them at a 24 in our network to keep simple routing, but we seek to NAT Source our resources due to security problems.  It is an example of a current virtual private network that we have configured:

    outside_map crypto card 5 corresponds to the address SAMPLE_cryptomap

    outside_map 5 peer set 99.99.99.99 crypto card

    card crypto outside_map 5 set ikev1 transform-set ESP-3DES-MD5 SHA-ESP-3DES

    card crypto outside_map 5 the value reverse-road

    SAMPLE_cryptomap list extended access permitted ip object-group APP_CLIENT_Hosts-group of objects CLIENT_Hosts

    NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

    the APP_CLIENT_Hosts object-group network

    network-object, object SITE1_APP_JCAPS_Dev_VIP

    network-object, object SITE1_APP_JCAPS_Prod_VIP

    network-object, object SITE2_APP_JCAPS_Dev_Host

    network-object, object SITE2_APP_JCAPS_Prod_VIP

    network-object, object SITE1_APP_PACS_Primary

    network of the SITE1_APP_JCAPS_Dev_VIP object

    Home 10.200.125.32

    network of the SITE1_APP_JCAPS_Prod_VIP object

    Home 10.200.120.32

    network of the SITE2_APP_JCAPS_Dev_Host object

    Home 10.30.15.30

    network of the SITE2_APP_JCAPS_Prod_VIP object

    Home 10.30.10.32

    network of the SITE1_APP_PACS_Primary object

    Home 10.200.10.75

    network of the CLIENT_Host_1 object

    host of the object-Network 192.168.15.100

    network of the CLIENT_Host_2 object

    host of the object-Network 192.168.15.130

    network of the CLIENT_Host_3 object

    host of the object-Network 192.168.15.15

    network of the CLIENT_Host_1_NAT object

    host of the object-Network 10.200.192.31

    network of the CLIENT_Host_2_NAT object

    host of the object-Network 10.200.192.32

    network of the CLIENT_Host_3_NAT object

    host of the object-Network 10.200.192.33

    My question revolves around the Source NAT configuration.  If I understand correctly, I have to configure 3 statements of NAT per NAT Source since there are three different destinations that are NAT' ed.  I think I would need to add this:

    network of the SITE1_APP_JCAPS_Dev_VIP_NAT object

    Home 88.88.88.81

    network of the SITE1_APP_JCAPS_Prod_VIP_NAT object

    Home 88.88.88.82

    network of the SITE2_APP_JCAPS_Dev_Host_NAT object

    Home 88.88.88.83

    network of the SITE2_APP_JCAPS_Prod_VIP_NAT object

    Home 88.88.88.84

    network of the SITE1_APP_PACS_Primary_NAT object

    Home 88.88.88.85

    NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

    Is that correct, or is at - it an easier way to do this without having to add all statements of NAT?  Moreover, any change would be to do on the access list?

    Hello

    To my knowledge you should not create several new instructions from NAT. You should be well just create a new Group 'object' for new addresses your source address NAT.

    To better explain, take a look at your current ' object-group ' that defines your source addresses

    the APP_CLIENT_Hosts object-group network

    network-object, object SITE1_APP_JCAPS_Dev_VIP

    network-object, object SITE1_APP_JCAPS_Prod_VIP

    network-object, object SITE2_APP_JCAPS_Dev_Host

    network-object, object SITE2_APP_JCAPS_Prod_VIP

    network-object, object SITE1_APP_PACS_Primary

    Now you can do this sets up a "object-group" that contains a NAT IP address for each of the IP addresses inside the ' object-group ' and 'object' used above. The IMPORTANT thing is that the ' object-group ' that contains the NAT IP addresses is in the SAME ORDER as the actual source addresses.

    I mean, this is the first IP address is in most object - group ' will correspond to the first IP address in the newly created "object-group" for the IP NAT addresses.

    As above, you can simply have the same "nat" configurations 3 as before but you change/add in the newly created "object-group"

    For example, you might do the following

    network of the SITE1_APP_JCAPS_Dev_VIP_NAT object

    Home 88.88.88.81

    network of the SITE1_APP_JCAPS_Prod_VIP_NAT object

    Home 88.88.88.82

    network of the SITE2_APP_JCAPS_Dev_Host_NAT object

    Home 88.88.88.83

    network of the SITE2_APP_JCAPS_Prod_VIP_NAT object

    Home 88.88.88.84

    network of the SITE1_APP_PACS_Primary_NAT object

    Home 88.88.88.85

    the APP_CLIENT_Hosts_NAT object-group network

    network-object, object SITE1_APP_JCAPS_Dev_VIP_NAT

    network-object, object SITE1_APP_JCAPS_Prod_VIP_NAT

    network-object, object SITE2_APP_JCAPS_Dev_Host_NAT

    network-object, object SITE2_APP_JCAPS_Prod_VIP_NAT

    network-object, object SITE1_APP_PACS_Primary_NAT

    Then you add the following configurations of "nat"

    NAT (inside, outside) 1 static source APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

    Static NAT APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT static destination CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of source route 2 (inside, outside)

    NAT 3 (indoor, outdoor) static source APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

    Note line numbers, we added the above commands. This allows them to enter the upper part of the ASAs NAT rules, and therefore, they will become active immediately. Without line numbers that they will only be used after when you remove the old lines.

    Then you can remove the "old"

    no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

    no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

    no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

    This should leave you with 3 configurations "nat" who made the NAT source addresses and destination.

    Naturally while you perform this change you will also have to change the ACL Crypto to match the new source NAT. This is because as all NAT is done before any VPN on the ASA. So the destination addresses are Nations United for before VPN and source addresses are translated before VPN.

    If you do not want to make the changes without affecting the connections too so I suggest

    • Add rules to the ACL Crypto for new addresses (NAT) source. Of course, this must be done on both sides of the VPN L2L. You would still be leaving the original configurations to the Crypto ACL does not not the functioning of the L2L VPN.
    • Add new configurations of "nat" above without the line numbers I mentioned who mean you that they wont be used until you remove the "old".
    • When you are ready to be migrated to use the new IP addresses, simply remove the original "nat" configurations and the ASA will start the corresponding traffic for new "nat" configurations. Provided of course that there is no other "nat" configuration before the nine that could mess things up. This should be verified by the person making the changes.

    Of course if you can afford a small cut when then changing the order in which you do things should not matter that much. In my work, that connections are usually not that critical that you can't make these changes almost at any point as it is a matter of minutes what it takes to make changes.

    Hope this made sense and helped

    Remember to mark a reply as the answer if it answered your question.

    Feel free to ask more if necessary.

    -Jouni

  • nat VPN question.

    Try to find what happened.  I had the remote end raise the tunnel, as they can ping resources on my side.  I am unable to ping 10.90.238.148 through this tunnel.  I used to be able to until the interface of K_Inc has been added.  The network behind this interface is 10/8.

    I asked a question earlier in another post and advises him to play opposite road of Cryptography.  And who did it.  I was able to ping 10.90.238.148 of 192.168.141.10, with the config below.

    I am at a loss to why I can't all of a sudden.  A bit of history, given routes have not changed.  By adding the command set opposite road to cryptography, I find myself with a static entry for the 10.90.238.0 network is what fixed it initially so I don't think it's a problem of route.  The remote end had an overlap with the 192.168.141.0/24 that is why my side is natted on the 10.40.27.0.  None of the nats have changed so if adding the reverse route worked for a day, it should still work.  Any thoughts?

    interface GigabitEthernet0/3.10

    VLAN 10

    nameif K_Inc

    security-level 100

    IP address 192.168.10.254 255.255.255.0

    interface GigabitEthernet0/3.141

    VLAN 141

    cold nameif

    security-level 100

    IP 192.168.141.254 255.255.255.0

    (Cold) NAT 0 access-list sheep

    NAT (cold) 1 192.168.141.0 255.255.255.0

    Access extensive list ip 192.168.141.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0

    Access extensive list ip 10.40.27.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0

    Access extensive list ip 192.168.141.0 CSVPNNAT allow 255.255.255.0 10.90.238.0 255.255.255.0

    IP 10.40.27.0 allow Access-list extended sheep 255.255.255.0 10.90.238.0 255.255.255.0

    static 10.40.27.0 (cold, outside) - CSVPNNAT access list

    card crypto Outside_map 5 corresponds to the address CSVPNOFFSITE

    card crypto Outside_map 5 the value reverse-road

    card crypto Outside_map 5 set pfs

    card crypto Outside_map 5 set peer 20.x.x.3

    Outside_map 5 transform-set ESP-3DES-MD5 crypto card game

    card crypto Outside_map 5 defined security-association life seconds 28800

    card crypto Outside_map 5 set security-association kilobytes of life 4608000

    tunnel-group 20.x.x.3 type ipsec-l2l

    20.x.x.3 Group of tunnel ipsec-attributes

    pre-shared-key *.

    Route outside 0.0.0.0 0.0.0.0 7.x.x.1 1

    Route 10.0.0.0 K_Inc 255.192.0.0 192.168.10.252 1

    Route K_Inc 10.64.0.0 255.224.0.0 192.168.10.252 1

    Route K_Inc 10.100.100.0 255.255.255.0 192.168.10.252 1

    Route K_Inc 10.128.0.0 255.128.0.0 192.168.10.252 1

    Tunnel is up:

    14 peer IKE: 20.x.x.243

    Type: L2L role: answering machine

    Generate a new key: no State: MM_ACTIVE

    EDIT:

    I just noticed when tracer packet i run I don't get a phase VPN or encrypt:

    Packet-trace entry cold tcp 192.168.141.10 80 80 10.90.238.148 det

    Phase: 1

    Type: FLOW-SEARCH

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Not found no corresponding stream, creating a new stream

    Phase: 2

    Type:-ROUTE SEARCH

    Subtype: entry

    Result: ALLOW

    Config:

    Additional information:

    in 10.90.238.0 255.255.255.0 outside

    Phase: 3

    Type: IP-OPTIONS

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Direct flow from returns search rule:

    ID = 0xad048d08, priority = 0, sector = option-ip-enabled, deny = true

    hits = 2954624, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

    SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

    Phase: 4

    Type: QOS

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Direct flow from returns search rule:

    ID = 0xb2ed4b80, priority = 72, domain = qos by class, deny = false

    hits = 2954687, user_data = 0xb2ed49d8, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

    SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

    Phase: 5

    Type: FOVER

    Subtype: Eve-updated

    Result: ALLOW

    Config:

    Additional information:

    Direct flow from returns search rule:

    ID = 0xad090180, priority = 20, area = read, deny = false

    hits = 618776, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0, Protocol = 6

    SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

    Phase: 6

    Type: NAT

    Subtype:

    Result: ALLOW

    Config:

    static (ColdSpring, external) 74.x.x.50 192.168.141.10 netmask 255.255.255.255

    match ip host 192.168.141.10 ColdSpring outside of any

    static translation at 74.x.x.50

    translate_hits = 610710, untranslate_hits = 188039

    Additional information:

    Definition of static 192.168.141.10/0 to 74.112.122.50/0 using subnet mask 255.255.255.255

    Direct flow from returns search rule:

    ID = 0xac541e50, priority = 5, area = nat, deny = false

    hits = 610742, user_data = 0xac541c08, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

    SRC ip = 192.168.141.10, mask is 255.255.255.255, port = 0

    DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

    Phase: 7

    Type: NAT

    Subtype: host-limits

    Result: ALLOW

    Config:

    static (ColdSpring, dmz) 192.168.141.0 192.168.141.0 netmask 255.255.255.0

    match ip ColdSpring 192.168.141.0 255.255.255.0 dmz all

    static translation at 192.168.141.0

    translate_hits = 4194, untranslate_hits = 20032

    Additional information:

    Direct flow from returns search rule:

    ID = 0xace2c1a0, priority = 5, area = host, deny = false

    hits = 2954683, user_data = 0xace2ce68, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

    SRC ip = 192.168.141.0, mask is 255.255.255.0, port = 0

    DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

    Phase: 8

    Type: IP-OPTIONS

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Reverse flow from returns search rule:

    ID = 0xaacbcb90, priority = 0, sector = option-ip-enabled, deny = true

    hits = 282827537, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

    SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

    Phase: 9

    Type: QOS

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Reverse flow from returns search rule:

    ID = 0xb2ed5c78, priority = 72, domain = qos by class, deny = false

    hits = 4749562, user_data = 0xb2ed5ad0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

    SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

    Phase: 10

    Type: CREATING STREAMS

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    New workflow created with the 339487904 id, package sent to the next module

    Information module for forward flow...

    snp_fp_inspect_ip_options

    snp_fp_tcp_normalizer

    snp_fp_translate

    snp_fp_adjacency

    snp_fp_fragment

    snp_fp_tracer_drop

    snp_ifc_stat

    Information for reverse flow...

    snp_fp_inspect_ip_options

    snp_fp_translate

    snp_fp_tcp_normalizer

    snp_fp_adjacency

    snp_fp_fragment

    snp_fp_tracer_drop

    snp_ifc_stat

    Phase: 11

    Type:-ROUTE SEARCH

    Subtype: output and contiguity

    Result: ALLOW

    Config:

    Additional information:

    found 7.x.x.1 of next hop using ifc of evacuation outside

    contiguity Active

    0007.B400.1402 address of stretch following mac typo 51982146

    Result:

    input interface: cold

    entry status: to the top

    entry-line-status: to the top

    output interface: outside

    the status of the output: to the top

    output-line-status: to the top

    Action: allow

    What version are you running to ASA?

    My guess is that your two static NAT is configured above policy nat you have configured for the VPN?  If this is the case, move your above these static NAT NAT policy and you should see the traffic start to flow properly.

    --

    Please note all useful posts

  • Based on the IOS VPN Lan-to-Lan (NAT and route map Questions)

    Hello world

    I worked on my review of CCNA security and I have a question about this stage

    LAN1 192.168.0.0/24---(routeur HQ)--10.10.10.0/30--(INTERNET)--20.20.20.0/30--(routeur Branch) - LAN2 192.168.1.0/24

    I use 10.10.10.0/30 and 20.20.20.0/30 networks assuming that these are public addresses (is just a laboratory).

    I read that if I want to make the VPN tunnel while I using NAT I must exclude valuable traffic from the NAT process so I look on the database of cisco for more help and I found this (look at the 3660 router configuration):

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008045a2d2.shtml#T1

    so, I applied this config for my routers, so the config is:

    IP nat inside source map route sheep interface fastEthernet0/1

    access list 110 deny ip 192.168.0.0. 0.0.0.255 192.168.1.0 0.0.0.255

    access list 119 permit ip 192.168.0.0. 0.0.0.255 any

    sheep allowed 10 route map

    corresponds to the IP 110

    I didn't really understand who is using the command route-map here, so I made this configuration:

    IP nat inside list sheep interface FastEthernet0/1

    sheep extended IP access list

    deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

    Licensing ip 192.168.0.0 0.0.0.255 any

    Two of them worked I could translate my LAN addresses to the public to address internet and also could establish the VPN tunnel. So my questions are:

    1. What is the purpose of the road-map command?

    2. What is the difference between these two configuration?

    3. which one I should use and in what cases?

    Thanks in advance

    Jose

    Jose,

    Very good questions and in fact no need to the road map it.

    Personally, I like using course maps because it allows much more flexibility than simply ACL setup, but in order to bypass the NAT source IPs, there is no need of route-maps and you can do this with the ACL directly.

    I personally always use road-maps just because I can (route-maps are cool) haha

    Route-maps are very useful in other scenarios where you need to put more of conditions or factors.

    Remember that it is almost always more than one method to accomplish a task... which is one of those cases.

    It will be useful.

    Federico.

  • Questions of WRT54GL with the XBOX 360 Modern Warfare 2 chat (even with open NAT)

    Hello

    I read a few posts on the subject, but can't seem to make it work.  I tried port forwarding, UPnP and DMZ on their own or at the time and the best I could do is get a "open NAT" in modern warfare, allowing me to play online.  However, I do hear not others when you play online.  I can tell they speaking by looking at the icon of speaker beside their name between games, but cannot hear them...  I can hear people in my private chat or part without problem.

    Can you guys help me?  It's hard to read dominance without being able to communicate with his teammates.

    Oh gawd...  I feel like a noob...  It turns out it wasn't my router settings at all.  Somehow, I got my 'privacy settings' in XBOX Live set to "Discuss with friends only" or something similar.  I now opened it at all and it works fine.

  • NAT Type for PS3 (wrt610N) question

    I have the wrt610N cable Internet and Modern Warefare 2 play on the PS3. Since day 1, I had a Type 2 Nat type depending on the internet connection of the PS3 test.  Modern Warfare 2 includes a Nat Type indicator on the lobby screen and mine said always moderate.

    Well, after a little research, I forwarded my ports and hop, he says that my NAt type is open. Yesterday I accidentally unplugged the router and now my screen of the lobby still moderate.  My ports are always transmitted, so I have no idea of what is happening.  Any ideas?

    Someone suggested that I can just go into the router and configure it to open, but it doesn't sound right.  Also, I read some posts on here and noticed people mentioning something on the home network defender in the Management tab.  I have no option.  Someone knows why?

    Port 10070 - 10080 not required for MW2, however, it is necessary for the PS3... As far as the DNS is concerned, I provided you DNS on the router, you can either use router DNS, DNS ISP or the universal DNS 208.67.222.222 and 208.67.220.220... any of them.

  • NAT for DVR Config question

    Hai all,

    New to Cisco IAM, I have a Cisco 2811 router with 2 ethernet ports:

    Here is my config:

    2-port ethernet on my router

    1 port 0/0 directly connected to the ISP link

    WAN IP is configured as 122.183.1xx.6 ip and the gateway is 122.183.1xx.5

    1 port 0/1 connected to my local network which is 192.168.1.0 network

    LAN Port 0/1 IP's 192.168.1.200

    Internet works fine

    -----------------------------------------------------------------------------------------------------------

    If I do one that is my IP address?

    I get the IP as 122.183.1xx.42

    My ISP says its a Pool of LAN IP:

    122.183.1xx.43 - 47

    ----------------------------------------------------------------------------------------------------------

    Now I just discovered my DVR outside of my internet network?

    Do I need a NAT to view my DVR?

    If I use an ID DYDNS my 2811 router filters the 37777.how port of release

    DVR IP is 192.168.1.242 port is no 37777

    What is the procedure for nat to a static pool of ip from my ISP? How to unblock port 37777?

    Help to sort it out...

    Thank you...

    have you tried the previous suggestion? I asked for but I don't see everything.

    To check if your ISP blocks or do not do the following:

    1. create an ACL as follows

    access-list 199 permit tcp any newspaper EQ 37777 122.183.1xx.43 host

    access ip-list 199 permit a whole

    2. apply to the external interface

    Router (config) # int fa0/1

    (config-if) #ip group-access 199 in

    3. now Telnet 37777 outdoor port 122.183.1xx.43

    4. check if the th packages hit you box by running the following command:

    See the list of 199 ip access

    If you see numbers of access increases on the front-line ACL meanas your ISP does not block the traffic.

    After doing this. Please send the latest config.

  • Question of failure path reverse NAT

    Hello

    Using a sense 9.3 3 ASA 5512 - x running. I have Anyconnect VPN configured to PAT the subnet of remote access to one of the inside of the interfaces (because of internal routing restrictions).

    For example...

    Remote subnet: 192.168.10.0/24

    Internal subnet: 192.168.1.0/24

    Internal interface: 192.168.1.254

    All remote access clients behind 192.168.1.254 and it works correctly until I have add a dynamic NAT rule for outbound traffic, then I start to see the errors "reverse path NAT failure" when VPN clients try to access internal resources.

    network of the LAN1 object
    subnet 192.168.1.0 255.255.255.0
    NAT dynamic interface (indoor, outdoor)

    Is there a way to circumvent this problem, because all the remote access clients are hidden behind the interface address?

    Thanks for any help.

    Hello

    Instead of making nat under Group, have you tried to do globally as:

    NAT (inside_101_infrastructure, outside) static dynamic source of destination interface LAN-GROUP ANYCONNECT_VPN_SUBNET ANYCONNECT_VPN_SUBNET

    Thank you

    PS: Please do not forget to rate and score as good response if this solves your problem

  • The Global NAT FVRF questions - for Expert

    Hi Expert,

    I have a client with a DMVPN network. Here is a simple drawing of installation:

    First I set the router og BRANCH1 config: BRANCH1 - Config.txt

    What the client wants is simple:

    Host 200.200.200.200 reach the host 192.168.100.2 on port 3389.

    So I thought to do the static NAT like this:

    IP nat inside source static tcp 192.168.100.2 3389 100.10.10.2 3389

    but it does not work because the BRANCH1 router is configured with FVRF who wants to say outside interface is in a VRF and local area network inside interface is globally. I couldn't see any traffic coming to the server (192.168.100.2) but I could see the translation in the nat process.

    So I tried to configure the virtual interface of NAT (NVI) I read that NVI works best in the VRF environment. This time with these lines:

    interface FastEthernet0/0
    Description * WAN connection *.
    bandwidth 20000
    IP vrf forwarding DMVPN-VRF
    IP 100.10.10.2 255.255.255.0
    IP access-group OUTSIDEACL in
    activate nat IP
    IP virtual-reassembly
    automatic duplex
    automatic speed
    !
    interface FastEthernet0/1
    Description * to connect to the computer 3 *.
    IP 192.168.100.1 address 255.255.255.0
    NBAR IP protocol discovery
    activate nat IP
    IP virtual-reassembly
    load-interval 30
    automatic duplex
    automatic speed
    No cdp enable

    IP nat source static tcp 192.168.100.2 3389 100.10.10.2 3389 extensible

    Then I finally got some entries of traffic in the server 192.168.100.2. See the Wireshark log:

    200.200.200.200 192.168.100.2 TCP stgxfws > ms-wbt-Server [SYN] Seq = 0 Win = 64240 Len = 0 MSS = 1260


    192.168.100.2 200.200.200.200 ms-wbt-Server TCP > stgxfws [SYN, ACK] Seq = 0 Ack = 1 win = 64240 Len = 0 MSS = 1460

    So far so good but but... the router sends an ICMP destination 13 unreachable code to the server:

    10.1.0.1 192.168.100.2 ICMP Destination unreachable (Communication administratively filtered)

    I guess that is because the router performs a search in the global routing table instead of the destination FVRF.

    Anyone know how I can fix this problem?

    Maybe a solution to HUB1 for this so everything is managed central, what do you thing?

    Best regards

    Laurent Rlap

    I can't spoke1 config. But first the routing needs to work and I would like to try a leak of the VRF the way in Global.

    IP route 200.200.200.200 255.255.255.255 FastEthernet0/0

    When this is fixed we can watch NAT.

    / Ralph

Maybe you are looking for

  • 10 Windows mail and troubled calendar

    Hey,. I am currently configuring my iCloud account to work with the default Windows 10 calendar, Mail, people, etc. applications, however, when I created the account, it says the following: Calendar - "can't get calendars. Mail - "can't get mail. Peo

  • iolor gdf 32 program not found... Self-checking to jump...

    I got this message... everything I start... I contacted SONY... and 6 times they tried... and still no solution

  • Cisco asa geo blocking.

    Is there a way by which we can block all connections from a country on Cisco ASA, without us manually define an ACL. Hardware Cisco ASA5510- -Version 9.0

  • Why are images set to 100% smaller my new installation of PS CS6?

    I just bought a new MacBook Pro 13 "retina display and when I loaded PS extended CS6 and open any image at 100%, it's MUCH smaller than on my screen than on my last MacBook Pro 15" (non-Retina display).  I'm sure it is a display of screen/size of the

  • I get this error of fonts

    After Effects WARNING: a layer is missing dependenciesText layer: "BabasNeue", the font style font family: "regular."But I loaded this police and I know he asked what gives to ensure that I can fix?