NAT traffic on tunneling IPSec (ISR)
Hello.
I assumed that I have configure IPSec tunnel between a kind of 1811 and some checkpoint firewall. The IPSec part isen t that big of a deal, but system on the absence of "Side CheckPoint" traffic manager if the tunnel must be from a public IP address and the only source of IP address.
So, let's say that my ISP gave me 10.10.1.1 - 10.10.1.5, our clients Interior have an IP address of 192.168.10.0/24 range and the remote application in the site "Checkpoint" is the IP address of 172.16.1.10. The result should be:
IPSec tunnel is created by using the IP address 10.10.1.1 .
Traffic of 192.168.1.0/24 customers should access the application to the address 172.16.1.10 using as a source above the IPSec tunnel address 10.10.1.2 .
Is this possible? I guess that would mean I have NAT traffic goes, however, the IPSec tunnel, but I'm unable to get this to work. I googled all day long looking for something similar.
Anyone who could enlighten us? Any ideas appreciated.
Sheers!
/ Johan Christensson
Yes, it is possible. That you should get what you need. Let us know if it works or not.
extended policy-NAT IP access list
ip permit 192.168.1.0 0.0.0.255 host 172.16.1.10
nat pool IP LAN-Checkpoint 10.10.1.2 10.10.1.2 netmask 255.255.255.0
IP nat inside source list policy-NAT pool LAN-point of overload control
Tags: Cisco Security
Similar Questions
-
PIX of Concentrator VPN tunnel, can I NAT traffic before the tunnel?
I have a tunnel IPSEC of PIX-to-VPNConcentrator.
I have a localhost on my PIX inside interface with the IP 192.168.5.5 but the site on the end of the tunnel VPNConcentrator wants to see the IP 192.168.77.9 (because they use the 192.168.5.x network to an end for another use)
I know how things NAT from inside out, but I never have NAT - ed before traffic tunnel.
Can I NAT a local inside IP address BEFORE traffic hits the tunnel?
Yes, it is possible. Please see the below URL for the configuration details:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800949f1.shtml
Kind regards
Arul
-
Problem with tunnel IPSEC with NAT
Hello
I had an ipsec tunnel between a former Cisco router at a remote site. I'm the config 887 to an ASA migration. The remote site cannot establish the tunnel. This is the only site having problems. There are one number of other sites remote connection back without problem.
The Setup is
192.168.1.x (main site inside) - ASA - 86.x.x.x (outside) - Internet - 159.x.x.x (side remote outdoors) - Firewall - 10.10.10.x
The remote site will not accept the 192.168.1.x range so I'm NATing 192.168.50.x which is what they want to see
The config I have is
network of the NAT_TO_Remote1 object
192.168.50.0 subnet 255.255.255.0
network of the Remote1 object
subnet 10.10.10.0 255.255.252.0NAT NAT_TO_Remote1 (Interior, exterior) destination 192.168.1.0 source static static Remote1 Remote1
IKEv1 crypto policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 3DES-SHA1
card crypto Outside_map 10 corresponds to the address Qualcom_VPN
card crypto Outside_map 10 set peer 159.x.x.x
card crypto Outside_map 10 set transform-set 3DES-SHA1 ikev1
card crypto Outside_map 10 set pfs Group1
Outside_map interface card crypto outsideRemoteSite_VPN list extended access allowed host ip 192.168.50.20 10.10.10.0 255.255.252.0
RemoteSite_VPN list extended access allowed host ip 192.168.50.30 10.10.10.0 255.255.252.0
RemoteSite_VPN list extended access allowed host ip 192.168.50.40 10.10.10.0 255.255.252.0tunnel-group 159.x.x.x type ipsec-l2l
tunnel-group 159.x.x.x General-attributes
Group Policy - by default-RemoteSites
159.x.x.x group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.I was wondering if I'm missing something obvious here.
Hello
You must check the IPSEC transform set and see if they have enabled PFS group or not?
card crypto Outside_map 10 set pfs Group1
Try using group2, or turn it off.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
RVL200 IPSEC: run together or some data traffic by tunnel, possible?
Is it possible to run all the / some data traffic via an ipsec connection in tunnel using the RVL200?
I have managed to connect routers ipsec RVL200 and RV042 and are able to connect to servers/computers behind it.
Now I want to run some or all traffic through the ipsec tunnel for computers that are on the 192.168.1.0 network RVL200 subnet.
Main office - router RV042 - 10.200.62.1
-Router RVL200 - 192.168.1.1 remote desktop
I am using the Advanced Routing option to add static routes, but I'm not 100% sure if I am setting up roads properly.
To give an example of routing queries DNS for HOTMAIL.COM [65.55.72.183]:
Destination IP - 65.55.0.0
SM - 255.255.0.0
GW - 10.200.62.1
Hop - 1
LAN - interface
For some reason any that doesn't seem to work. I also tried to use the setting of the WAN interface and tested - it does not work.
Is this possible? If someone has tried to do that, I'd be very interested to know how to configure it.
See you soon.
MP
Linksys RVL200 or RV042 does not support the split DNS to the IPsec tunnel, which seems to be what you need. You might consider to upgrade the routers for the Cisco Small Business RV0xx routers that do not support DNS split on IPsec.
-
HTTPS protocol between the client vpn and host of the internet through tunnel ipsec-parody
Hello
We have a cisco ASA 5505 and try to get the next job:
ip (192.168.75.5) - connected to the Cisco ASA 5505 VPN client
the customer gets a specific route for an internet address (79.143.218.35 255.255.255.255 192.168.75.1 192.168.75.5 100)
When I try to access the url of the client, I get a syn sent with netstat
When I try trace ASA package, I see the following:
1 FLOW-SEARCH ALLOW Not found no corresponding stream, creating a new stream
2 ROUTE SEARCH entry ALLOW in 0.0.0.0 0.0.0.0 outdoors
3 ACCESS-LIST Journal ALLOW Access-group outside_access_in in interface outside
outside_access_in list extended access permitted tcp everything any https eq
access-list outside_access_in note hyperion outside inside
4 IP-OPTIONS ALLOW 5 CP-PUNT ALLOW 6 VPN IPSec-tunnel-flow ALLOW 7 IP-OPTIONS ALLOW 8 VPN encrypt ALLOW outdoors upward upward outdoors upward upward drop (ipsec-parody) Parody of detected IPSEC When I try the reverse (i.e. from the internet host to vpn client), it seems to work:
1 FLOW-SEARCH ALLOW Not found no corresponding stream, creating a new stream
2 ROUTE SEARCH entry ALLOW in 192.168.75.5 255.255.255.255 outside
3 ACCESS-LIST Journal ALLOW Access-group outside_access_in in interface outside
outside_access_in of access allowed any ip an extended list
4 IP-OPTIONS ALLOW 5 VPN IPSec-tunnel-flow ALLOW 6 VPN encrypt ALLOW My question is why this phenomenon happens and how solve us this problem?
Thanks in advance, Sipke
our running-config:
: Saved
:
ASA Version 8.0 (4)
!
ciscoasa hostname
domain somedomain
activate the password - encrypted
passwd - encrypted
names of
name 10.10.1.0 Hyperion
name 164.140.159.x xxxx
name 192.168.72.25 xxxx
name 192.168.72.24 xxxx
name 192.168.72.196 xxxx
name 192.168.75.0 vpn clients
name 213.206.236.0 xxxx
name 143.47.160.0 xxxx
name 141.143.32.0 xxxx
name 141.143.0.0 xxxx
name 192.168.72.27 xxxx
name 10.1.11.0 xxxx
name 10.1.2.240 xxxx
name 10.1.1.0 xxxx
name 10.75.2.1 xxxx
name 10.75.2.23 xxxx
name 192.168.72.150 xxxx
name 192.168.33.0 xxxx
name 192.168.72.26 xxxx
name 192.168.72.5 xxxx
name 192.168.23.0 xxxx
name 192.168.34.0 xxxx
name 79.143.218.35 inethost
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.72.254 255.255.255.0
OSPF cost 10
!
interface Vlan2
nameif outside
security-level 0
IP address 193.173.x.x 255.255.255.240
OSPF cost 10
!
interface Vlan3
Shutdown
nameif dmz
security-level 50
192.168.50.1 IP address 255.255.255.0
OSPF cost 10
!
interface Vlan23
nameif wireless
security-level 80
192.168.40.1 IP address 255.255.255.0
OSPF cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 23
!
interface Ethernet0/7
!
passive FTP mode
clock timezone THATS 1
clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
DNS lookup field inside
DNS server-group DefaultDNS
domain pearle.local
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service RDP - tcp
Remote Desktop Protocol Description
EQ port 3389 object
object-group service UDP - udp VC
range of object-port 60000 60039
object-group VC - TCP tcp service
60000 60009 object-port Beach
object-group service tcp Fortis
1501 1501 object-port Beach
Beach of port-object 1502-1502
Beach of port-object sqlnet sqlnet
1584 1584 object-port Beach
1592 1592 object-port Beach
object-group service tcp fortis
1592 1592 object-port Beach
Beach of port-object 1502-1502
1584 1584 object-port Beach
Beach of port-object sqlnet sqlnet
1501 1501 object-port Beach
1500 1500 object-port Beach
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.50.0 255.255.255.0
object-network 192.168.72.0 255.255.255.0
object-network 192.168.40.0 255.255.255.0
object-network VPN_Pool_2 255.255.255.0
the DM_INLINE_NETWORK_2 object-group network
object-network 192.168.50.0 255.255.255.0
object-network 192.168.72.0 255.255.255.0
object-group network inside-networks
object-network 192.168.72.0 255.255.255.0
WingFTP_TCP tcp service object-group
Secure FTP description
port-object eq 989
port-object eq 990
DM_INLINE_TCP_1 tcp service object-group
port-object eq ftp
port-object eq ftp - data
Group object WingFTP_TCP
DM_INLINE_TCP_2 tcp service object-group
port-object eq ftp
port-object eq ftp - data
Group object WingFTP_TCP
the DM_INLINE_NETWORK_3 object-group network
object-network 192.168.72.0 255.255.255.0
object-network VPN_Pool_2 255.255.255.0
the DM_INLINE_NETWORK_4 object-group network
object-network 192.168.72.0 255.255.255.0
object-network VPN_Pool_2 255.255.255.0
object-group network Oracle
network-object OracleTwo 255.255.224.0
network-object OracleOne 255.255.240.0
network-object OracleThree 255.255.224.0
the DM_INLINE_NETWORK_5 object-group network
network-object Grandvision 255.255.255.0
network-object Grandvision2 255.255.255.240
object-network Grandvision3 255.255.255.0
host of the object-Network Grandvision4
host of the object-Network GrandVision_PC
the DM_INLINE_NETWORK_6 object-group network
network-object Grandvision 255.255.255.0
network-object Grandvision2 255.255.255.240
object-network Grandvision3 255.255.255.0
host of the object-Network Grandvision4
host of the object-Network GrandVision_PC
the DM_INLINE_NETWORK_7 object-group network
network-object Grandvision 255.255.255.0
network-object Grandvision2 255.255.255.240
object-network Grandvision3 255.255.255.0
host of the object-Network GrandVision_PC
the DM_INLINE_NETWORK_8 object-group network
network-object Grandvision 255.255.255.0
network-object Grandvision2 255.255.255.240
object-network Grandvision3 255.255.255.0
host of the object-Network GrandVision_PC
object-group service DM_INLINE_SERVICE_2
the purpose of the ip service
EQ-3389 tcp service object
the DM_INLINE_NETWORK_9 object-group network
network-object OracleThree 255.255.0.0
network-object OracleTwo 255.255.224.0
network-object OracleOne 255.255.240.0
object-group service DM_INLINE_SERVICE_3
the purpose of the ip service
EQ-3389 tcp service object
Atera tcp service object-group
Atera Webbased monitoring description
8001 8001 object-port Beach
8002 8002 object-port Beach
8003 8003 object-port Beach
WingFTP_UDP udp service object-group
port-object eq 989
port-object eq 990
WingFTP tcp service object-group
Description range of ports for the transmission of data
object-port range 1024-1054
HTTPS_redirected tcp service object-group
Description redirect WingFTP Server
port-object eq 40200
Note to inside_access_in to access list ICMP test protocol inside outside
inside_access_in list extended access allow icmp 192.168.72.0 255.255.255.0 any
Note to inside_access_in to access list ICMP test protocol inside outside
access-list inside_access_in note HTTP inside outside
inside_access_in list extended access allowed object-group TCPUDP 192.168.72.0 255.255.255.0 any eq www
access-list inside_access_in note queries DNS inside to outside
inside_access_in list extended access allowed object-group TCPUDP 192.168.72.0 255.255.255.0 no matter what eq field
access-list inside_access_in note the HTTPS protocol inside and outside
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any https eq
Note to inside_access_in to access list ICMP test protocol inside outside
access-list inside_access_in note 7472 Epo-items inside outside
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any eq 7472
access-list inside_access_in note POP3 inside outside
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any eq pop3
inside_access_in list extended access permit udp host LifeSize-PE-HQ any object-group UDP - VC
inside_access_in list extended access permit tcp host LifeSize-PE-HQ all eq h323
access-list inside_access_in note video conference services
inside_access_in list extended access permit tcp host LifeSize-PE-HQ any object-group VC - TCP
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any
Note to inside_access_in to access list Fortis
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any object-group Fortis
access extensive list ip 192.168.40.0 inside_access_in allow 255.255.255.0 any
inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any
inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any eq www
inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any https eq
inside_access_in allowed all Hyperion 255.255.255.0 ip extended access list
inside_access_in list extended access udp allowed any any eq isakmp
inside_access_in list extended access udp allowed any any eq ntp
inside_access_in list extended access udp allowed any any eq 4500
inside_access_in list of allowed ip extended access any Oracle object-group
inside_access_in list extended access udp allowed any any eq 10000
access-list inside_access_in note PPTP inside outside
inside_access_in list extended access permit tcp any any eq pptp
access-list inside_access_in note WILL inside outside
inside_access_in list extended access will permit a full
Note to inside_access_in to access the Infrastructure of the RIM BES server list
inside_access_in list extended access permit tcp host BESServer any eq 3101
inside_access_in list extended access permit tcp any any DM_INLINE_TCP_2 object-group
inside_access_in list extended access permit tcp any any HTTPS_redirected object-group
access extensive list ip Hyperion 255.255.255.0 inside_access_in 255.255.255.0 allow VPN_Pool_2
inside_access_in list extended access permit udp any host 86.109.255.177 eq 1194
access extensive list ip 192.168.72.0 inside_access_in allow 255.255.255.0 DM_INLINE_NETWORK_7 object-group
access extensive list ip VPN_Pool_2 inside_access_in allow 255.255.255.0 any
inside_access_in list extended access deny ip any any inactive debug log
Note to outside_access_in to access list ICMP test protocol outside inside
outside_access_in list extended access permit icmp any one
access-list outside_access_in Note SMTP outside inside
outside_access_in list extended access permit tcp any any eq smtp
outside_access_in list extended access udp allowed any any eq ntp disable journal
access-list outside_access_in note 7472 EPO-items outside inside
outside_access_in list extended access permit tcp any any eq 7472
outside_access_in list extended access permit tcp any any object-group inactive RDP
outside_access_in list extended access permit tcp any any eq www
outside_access_in list extended access permit tcp any any HTTPS_redirected object-group
outside_access_in list extended access permitted tcp everything any https eq
access-list outside_access_in note hyperion outside inside
outside_access_in list extended access permitted tcp Hyperion 255.255.255.0 DM_INLINE_NETWORK_4 object-group
outside_access_in to access Hyperion 255.255.255.0 ip extended list object-group DM_INLINE_NETWORK_3 allow
outside_access_in list extended access permit tcp any host LifeSize-PE-HQ eq h323
outside_access_in list extended access permit tcp any host LifeSize-PE-HQ object-group VC - TCP
outside_access_in list extended access permit udp any host group-object-LifeSize-PE-HQ UDP - VC
outside_access_in of access allowed any ip an extended list
outside_access_in list extended access udp allowed any any eq 4500
outside_access_in list extended access udp allowed any any eq isakmp
outside_access_in list extended access udp allowed any any eq 10000
outside_access_in list extended access will permit a full
outside_access_in list extended access permit tcp any any eq pptp
outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
outside_access_in list extended access allowed object-group ip DM_INLINE_NETWORK_8 192.168.72.0 255.255.255.0 inactive
outside_access_in list extended access permit tcp any any Atera object-group
outside_access_in list extended access deny ip any any inactive debug log
outside_1_cryptomap list extended access allowed object-group Hyperion DM_INLINE_NETWORK_2 255.255.255.0 ip
outside_1_cryptomap to access extended list ip 192.168.50.0 allow Hyperion 255.255.255.0 255.255.255.0
access extensive list ip 192.168.72.0 inside_nat0_outbound allow Hyperion 255.255.255.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all 193.172.182.64 255.255.255.240
inside_nat0_outbound list of allowed ip extended access all 192.168.72.192 255.255.255.192
inside_nat0_outbound list of allowed ip extended access all 192.168.72.0 255.255.255.0
access extensive list ip 192.168.72.0 inside_nat0_outbound allow 255.255.255.0 VPN_Pool_2 255.255.255.0
access extensive list ip 192.168.72.0 inside_nat0_outbound allow 255.255.255.0 DM_INLINE_NETWORK_5 object-group
inside_nat0_outbound list of allowed ip extended access all GrandVisionSoesterberg 255.255.255.0
inside_nat0_outbound list of allowed ip extended access any Swabach 255.255.255.0
access-list 200 scope allow tcp all fortis of fortis host object-group
access extensive list ip VPN_Pool_2 outside_nat0_outbound allow 255.255.255.0 DM_INLINE_NETWORK_9 object-group
outside_cryptomap_2 list extended access allowed object-group Hyperion DM_INLINE_NETWORK_1 255.255.255.0 ip
outside_cryptomap_2 to access extended list ip 192.168.50.0 allow Hyperion 255.255.255.0 255.255.255.0
Note Wireless_access_in of access list, select Hyperion / wifi access NAT rule.
Access extensive list ip 192.168.40.0 Wireless_access_in allow Hyperion inactive 255.255.255.0 255.255.255.0
Wireless_access_in list extended access deny ip 192.168.40.0 255.255.255.0 192.168.72.0 255.255.255.0
Comment by Wireless_access_in-list of the traffic Internet access
Access extensive list ip 192.168.40.0 Wireless_access_in allow 255.255.255.0 any
standard access list splittunnelclientvpn allow 192.168.72.0 255.255.255.0
splittunnelclientvpn list standard access allowed Hyperion 255.255.255.0
standard access list splittunnelclientvpn allow Pearleshare 255.255.255.0
splittunnelclientvpn list standard access allowed host 85.17.235.22
splittunnelclientvpn list standard access allowed OracleThree 255.255.224.0
standard access list splittunnelclientvpn allow 143.47.128.0 255.255.240.0
splittunnelclientvpn list standard access allowed host inethost
Standard access list SplittnlHyperion allow OracleThree 255.255.0.0
Standard access list SplittnlOOD allow OracleThree 255.255.0.0
Standard access list SplittnlOOD allow 143.47.128.0 255.255.240.0
access extensive list ip 192.168.72.0 outside_cryptomap allow 255.255.255.0 DM_INLINE_NETWORK_6 object-group
outside_cryptomap_1 list of allowed ip extended access all GrandVisionSoesterberg 255.255.255.0
outside_cryptomap_3 list of allowed ip extended access any Swabach 255.255.255.0
192.168.72.0 IP Access-list extended sheep 255.255.255.0 GrandVisionSoesterberg 255.255.255.0 allow
192.168.72.0 IP Access-list extended sheep 255.255.255.0 VPN_Pool_2 255.255.255.0 allow
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
MTU 1500 wireless
local pool VPN_DHCP 192.168.72.220 - 192.168.72.235 255.255.255.0 IP mask
mask 192.168.75.1 - 192.168.75.50 255.255.255.0 IP local pool VPN_Range_2
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 613.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (wireless) 1 192.168.40.0 255.255.255.0
public static tcp (indoor, outdoor) interface smtp smtp Mailsrv_Pearle_Europe netmask 255.255.255.255
public static tcp (indoor, outdoor) interface ftp ftp netmask 255.255.255.255 Pearle-DC02
public static 990 Pearle-DC02 990 netmask 255.255.255.255 interface tcp (indoor, outdoor)
static (inside, outside) tcp 3389 3389 Mailsrv_Pearle_Europe netmask 255.255.255.255 interface
public static tcp (indoor, outdoor) interface www Pearle-DC02 www netmask 255.255.255.255
public static 40200 Pearle-DC02 40200 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static tcp (indoor, outdoor) interface https Exchange2010 https netmask 255.255.255.255
public static tcp (indoor, outdoor) interface h323 h323 LifeSize-PE-HQ netmask 255.255.255.255
public static 60000 60000 LifeSize-PE-HQ netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60001 LifeSize-PE-HQ 60001 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60002 LifeSize-PE-HQ 60002 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60003 LifeSize-PE-HQ 60003 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60004 LifeSize-PE-HQ 60004 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60005 LifeSize-PE-HQ 60005 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60006 LifeSize-PE-HQ 60006 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60007 LifeSize-PE-HQ 60007 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60008 LifeSize-PE-HQ 60008 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60009 LifeSize-PE-HQ 60009 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static (inside, outside) udp interface 60001 LifeSize-PE-HQ 60001 netmask 255.255.255.255
public static (inside, outside) udp interface 60002 LifeSize-PE-HQ 60002 netmask 255.255.255.255
public static (inside, outside) udp interface 60003 LifeSize-PE-HQ 60003 netmask 255.255.255.255
public static (inside, outside) udp interface 60004 LifeSize-PE-HQ 60004 netmask 255.255.255.255
public static (inside, outside) udp interface 60005 LifeSize-PE-HQ 60005 netmask 255.255.255.255
public static (inside, outside) udp interface 60006 LifeSize-PE-HQ 60006 netmask 255.255.255.255
public static (inside, outside) udp interface 60007 LifeSize-PE-HQ 60007 netmask 255.255.255.255
public static (inside, outside) udp interface 60008 LifeSize-PE-HQ 60008 netmask 255.255.255.255
public static (inside, outside) udp interface 60009 LifeSize-PE-HQ 60009 netmask 255.255.255.255
public static (inside, outside) udp interface 60010 LifeSize-PE-HQ 60010 netmask 255.255.255.255
public static (inside, outside) udp interface 60011 LifeSize-PE-HQ 60011 netmask 255.255.255.255
public static (inside, outside) udp interface 60012 LifeSize-PE-HQ 60012 netmask 255.255.255.255
public static (inside, outside) udp interface 60013 LifeSize-PE-HQ 60013 netmask 255.255.255.255
public static (inside, outside) udp interface 60014 LifeSize-PE-HQ 60014 netmask 255.255.255.255
public static (inside, outside) udp interface 60015 LifeSize-PE-HQ 60015 netmask 255.255.255.255
public static (inside, outside) udp interface 60016 LifeSize-PE-HQ 60016 netmask 255.255.255.255
public static (inside, outside) udp interface 60017 LifeSize-PE-HQ 60017 netmask 255.255.255.255
public static (inside, outside) udp interface 60018 LifeSize-PE-HQ 60018 netmask 255.255.255.255
public static (inside, outside) udp interface 60019 LifeSize-PE-HQ 60019 netmask 255.255.255.255
public static (inside, outside) udp interface 60020 LifeSize-PE-HQ 60020 netmask 255.255.255.255
public static (inside, outside) udp interface 60021 60021 LifeSize-PE-HQ netmask 255.255.255.255
public static (inside, outside) udp interface 60022 LifeSize-PE-HQ 60022 netmask 255.255.255.255
public static (inside, outside) udp interface 60023 LifeSize-PE-HQ 60023 netmask 255.255.255.255
public static (inside, outside) udp interface 60024 LifeSize-PE-HQ 60024 netmask 255.255.255.255
public static (inside, outside) udp interface 60025 LifeSize-PE-HQ 60025 netmask 255.255.255.255
public static (inside, outside) udp interface 60026 LifeSize-PE-HQ 60026 netmask 255.255.255.255
public static (inside, outside) udp interface 60027 LifeSize-PE-HQ 60027 netmask 255.255.255.255
public static (inside, outside) udp interface 60028 LifeSize-PE-HQ 60028 netmask 255.255.255.255
public static (inside, outside) udp interface 60029 LifeSize-PE-HQ 60029 netmask 255.255.255.255
public static (inside, outside) udp interface 60030 LifeSize-PE-HQ 60030 netmask 255.255.255.255
public static (inside, outside) udp interface 60031 LifeSize-PE-HQ 60031 netmask 255.255.255.255
public static (inside, outside) udp interface 60032 LifeSize-PE-HQ 60032 netmask 255.255.255.255
public static (inside, outside) udp interface 60033 LifeSize-PE-HQ 60033 netmask 255.255.255.255
public static (inside, outside) udp interface 60034 LifeSize-PE-HQ 60034 netmask 255.255.255.255
public static (inside, outside) udp interface 60035 LifeSize-PE-HQ 60035 netmask 255.255.255.255
public static (inside, outside) udp interface 60036 LifeSize-PE-HQ 60036 netmask 255.255.255.255
public static (inside, outside) udp interface 60037 LifeSize-PE-HQ 60037 netmask 255.255.255.255
public static (inside, outside) udp interface 60038 LifeSize-PE-HQ 60038 netmask 255.255.255.255
public static (inside, outside) udp interface 60039 LifeSize-PE-HQ 60039 netmask 255.255.255.255
public static (inside, outside) udp interface 60040 60040 LifeSize-PE-HQ netmask 255.255.255.255
public static Mailsrv_Pearle_Europe 7472 netmask 255.255.255.255 7472 interface tcp (indoor, outdoor)
public static LanSweep-XP netmask 255.255.255.255 8001 8001 interface tcp (indoor, outdoor)
public static 8002 8002 LanSweep-XP netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static LanSweep-XP netmask 255.255.255.255 8003 8003 interface tcp (indoor, outdoor)
static (inside, outside) 193.173.12.194 tcp https Pearle-DC02 https netmask 255.255.255.255
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Access-group Wireless_access_in in wireless interface
Route outside 0.0.0.0 0.0.0.0 193.173.12.206 1
Route outside OracleThree 255.255.224.0 193.173.12.198 1
Route outside 143.47.128.0 255.255.240.0 193.173.12.198 1
Route inside 172.27.0.0 255.255.255.0 Pearle-DC02 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication LOCAL telnet console
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.40.0 255.255.255.0 Wireless
http 192.168.1.0 255.255.255.0 inside
http 192.168.72.0 255.255.255.0 inside
http GrandVisionSoesterberg 255.255.255.0 inside
SNMP-server host inside 192.168.33.29 survey community public version 2 c
location of Server SNMP Schiphol
contact Server SNMP SSmeekes
SNMP-Server Public community
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-aes-256 GRANDVISION esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
card crypto outside_map0 1 match address outside_cryptomap_1
outside_map0 card crypto 1jeu pfs
outside_map0 card crypto 1jeu peer 212.78.223.182
outside_map0 card crypto 1jeu transform-set ESP ESP-3DES-SHA-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-ESP ESP-3DES-MD5 MD5-DES-SHA ESP-DES-MD5
outside_map0 map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map0 1 set security-association life kilobytes 4608000
card crypto game 2 outside_map0 address outside_cryptomap_2
outside_map0 crypto map peer set 2 193.173.12.193
card crypto outside_map0 2 game of transformation-ESP ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5-DES-SHA ESP-DES-MD5
life card crypto outside_map0 2 set security-association seconds 28800
card crypto outside_map0 2 set security-association life kilobytes 4608000
card crypto outside_map0 3 match address outside_1_cryptomap
outside_map0 card crypto 3 set pfs
outside_map0 card crypto 3 peers set 193.172.182.66
outside_map0 crypto map 3 the value transform-set ESP-3DES-SHA
life card crypto outside_map0 3 set security-association seconds 28800
card crypto outside_map0 3 set security-association life kilobytes 4608000
card crypto outside_map0 game 4 address outside_cryptomap
outside_map0 card crypto 4 peers set 213.56.81.58
outside_map0 4 set transform-set GRANDVISION crypto card
life card crypto outside_map0 4 set security-association seconds 28800
card crypto outside_map0 4 set security-association life kilobytes 4608000
card crypto outside_map0 5 match address outside_cryptomap_3
outside_map0 card crypto 5 set pfs
outside_map0 crypto card 5 peers set 86.109.255.177
outside_map0 card crypto 5 game of transformation-ESP ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5-DES-SHA ESP-DES-MD5
life card crypto outside_map0 5 set security-association seconds 28800
card crypto outside_map0 5 set security-association life kilobytes 4608000
Crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
outside_map0 interface card crypto outside
crypto ISAKMP allow inside
crypto ISAKMP allow outside
crypto ISAKMP enable dmz
crypto ISAKMP enable wireless
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 192.168.72.0 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.72.0 255.255.255.0 inside
SSH GrandVisionSoesterberg 255.255.255.0 inside
SSH 213.144.239.0 255.255.255.192 outside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd dns 194.151.228.18 is 10.10.1.100
dhcpd outside auto_config
!
dhcpd address 192.168.72.253 - 192.168.72.253 inside
!
dhcpd address dmz 192.168.50.10 - 192.168.50.50
dhcpd enable dmz
!
dhcpd address wireless 192.168.40.10 - 192.168.40.99
dhcpd dns 194.151.228.18 wireless interface
dhcpd activate wireless
!
a basic threat threat detection
host of statistical threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Group Policy "pearle_vpn_Hyp only" internal
attributes of Group Policy "pearle_vpn_Hyp only".
value of server WINS 192.168.72.25
value of server DNS 192.168.72.25
Protocol-tunnel-VPN IPSec l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SplittnlHyperion
Split-dns value pearle.local
internal pearle_vpn_OOD_only group policy
attributes of the strategy of group pearle_vpn_OOD_only
value of Split-tunnel-network-list SplittnlOOD
internal pearle_vpn group policy
attributes of the strategy of group pearle_vpn
value of server WINS 192.168.72.25
value of server DNS 192.168.72.25
Protocol-tunnel-VPN IPSec l2tp ipsec svc
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list splittunnelclientvpn
Pearle.local value by default-field
Split-dns value pearle.local
username anyone password encrypted password
username something conferred
VPN-group-policy pearle_vpn_OOD_only
type of remote access service
tunnel-group 193 type ipsec-l2l
tunnel-group 193 ipsec-attributes
pre-shared-key *.
tunnel-group 193.173.12.193 type ipsec-l2l
IPSec-attributes tunnel-group 193.173.12.193
pre-shared-key *.
NOCHECK Peer-id-validate
type tunnel-group pearle_vpn remote access
tunnel-group pearle_vpn General-attributes
address pool VPN_Range_2
Group Policy - by default-pearle_vpn
pearle_vpn group of tunnel ipsec-attributes
pre-shared-key *.
type tunnel-group Pearle_VPN_2 remote access
attributes global-tunnel-group Pearle_VPN_2
address pool VPN_Range_2
strategy-group-by default "pearle_vpn_Hyp only".
IPSec-attributes tunnel-group Pearle_VPN_2
pre-shared-key *.
tunnel-group 213.56.81.58 type ipsec-l2l
IPSec-attributes tunnel-group 213.56.81.58
pre-shared-key *.
tunnel-group 212.78.223.182 type ipsec-l2l
IPSec-attributes tunnel-group 212.78.223.182
pre-shared-key *.
tunnel-group 86.109.255.177 type ipsec-l2l
IPSec-attributes tunnel-group 86.109.255.177
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:7d4d9c7ca7c865d9e40f5d77ed1238eb
: end
ASDM image disk0: / asdm - 613.bin
ASDM BESServer 255.255.255.255 inside location
ASDM VPN_Pool_2 255.255.255.0 inside location
ASDM OracleTwo 255.255.224.0 inside location
ASDM OracleOne 255.255.240.0 inside location
ASDM OracleThree 255.255.224.0 inside location
ASDM location Exchange2010 255.255.255.255 inside
ASDM location Grandvision 255.255.255.0 inside
ASDM Grandvision2 255.255.255.240 inside location
ASDM Grandvision3 255.255.255.0 inside location
ASDM Grandvision4 255.255.255.255 inside location
ASDM GrandVision_PC 255.255.255.255 inside location
ASDM location LanSweep-XP 255.255.255.255 inside
ASDM GrandVisionSoesterberg 255.255.255.0 inside location
ASDM location Pearle-DC02 255.255.255.255 inside
ASDM location Pearle-WDS 255.255.255.255 inside
ASDM location Swabach 255.255.255.0 inside
ASDM GrandVisionSoesterberg2 255.255.255.0 inside location
don't allow no asdm history
Where is that host (inethost)? Inside of the ASA, or on the internet (on the outside)?
If it is outside, you must configure the NAT for the pool of vpn as you turn on the SAA.
NAT (outside) 1 192.168.75.0 255.255.255.0
-
9.0 can a dynamic nat be used via ipsec vpn?
9.0 can a dynamic nat be used via ipsec vpn?
We have a vpn and work between asa and when we run traffic through a static nat rule traffic goes over the vpn. When we use a dynamic nat traffic does not get picked up by the ACL vpn.
We disable the nat rules to switch back and just so, even when we use the same destination to source the result is the same.
Am I missing something with 9.0 versions of code? If I disable all the nats and pass traffic it goes via the vpn.
So, it seems that when you use the dynamic nat statement, it pushes traffic to the external interface without looking at the acl of vpn. Please let me know if I'm crazy, I'm a newb on 8.3 zip code.
Thank you
Have you included in the ACL crytop natted ip address or range?
You allowed natted ip address or range to the other end of the tunnel?
-
Client VPN with tunneling IPSEC over TCP transport does not
Hello world
Client VPN works well with tunneling IPSEC over UDP transport.
I test to see if it works when I chose the VPN client with ipsec over tcp.
Under the group policy, I disabled the IPSEC over UDP and home port 10000
But the VPN connection has failed.
What should I do to work VPN using IPSEC over TCP
Concerning
MAhesh
Mahesh,
You must use "ikev1 crypto ipsec-over-tcp port 10000.
As crypto isakmp ipsec-over-tcp work on image below 8.3
HTH
-
VPN3005 and GRE as interesting traffic (in tunnel)
Hello
is it possible to qualify the GRE or interesting traffic IPinIP tunnel traffic
(in the Tunnel LAN2LAN) on a VPN3005.
On router or PIX simply define you access-list with gre or IP, how
can you do that on a hub if possible?
Thanks in advance,
Kind regards
Stefan
Hello
Just set the Lists(based on interesting traffic) network and hub crypt GRE traffic as IP or ICMP protocol, so no specific configuration is necessary.
Thank you
AFAQ
-
Random Tunnel IPSec Packet drops
Hi experts,
I am trying to solve a problem of fall of random package for tunneling IPSec between two VTI. For more than a month, we could not see not any question, and from today, we have 30% through a tunnel packet loss IPSec.
After analysis, I have concluded that packet loss is located somewhere on the way to the uc520 to the 2921. Package account see the correctly on the output interface physics uc520, but the number of packets is low on the interface of penetration on the 2921.
Pings outside of the tunnel by the way are very good.
I also deleted the tunnels on both ends and after they have recovery, the question was always present.
Pointers on research where packets get lost?
RR-hq-2921 #ping 10.1.13.1 g0/1 source rep 100
Type to abort escape sequence.
Send 100, echoes ICMP 100 bytes to 10.1.13.1, wait time is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!..!.!!!!!!!!!..!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
..!!.!!!!!!!!!!!.!!!!!!!!.!!!!
Topology:
[uc520] == HAVE == {{{cloud}}} == MODEM == [2921]
Test:
Claire 2921 # counters g0/0
Disable "show interface" counters on this interface [confirm]
% CLEAR-5-COUNTERS: claire counter on interface GigabitEthernet0/0
Execute on uc520: ping
source timeout 0 rep 4000 This is supposed to increase rapidly the number of packets at a distance of 4000 packages, as it has done on the output uc520 interface
# 2921 sho int g0/0 | I entered the packages
3348 packets input, 607812 bytes, 0 no buffer< missing="" ~650="">
# 2921 sho int g0/0
GigabitEthernet0/0 is up, line protocol is up
Material is CN Gigabit Ethernet, the address is XXXXXXXX
Description: Outdoors - WAN port
The Internet address is XXX.XXX.XXX.XXX/YY
MTU 1500 bytes, BW 35000 Kbit/s, 10 DLY usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
KeepAlive set (10 sec)
Full-Duplex, 1 Gbps, media type is RJ45
control output stream is XON, control of input stream is XON
Type of the ARP: ARPA, ARP Timeout 04:00
Last entry of 00:00:00, 00:00:00 exit, exit hang never
Final cleaning of the counters 'show interface' 00:00:42
Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0
Strategy of queues: fifo
Output queue: 0/40 (size/max)
30 second entry rate 75000 bps, 51 packets/s
exit rate of 30 seconds 77000 bps, 52 packets/s
3456 packets input, 619794 bytes, 0 no buffer
Received 0 emissions (0 of IP multicasts)
0 Runts, 0 giants, 0 shifters
entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored
Watchdog 0, multicast 0, break 0 comments
3454 packets output, 632194 bytes, 0 underruns
0 output errors, 0 collisions, 0 resets interface
unknown protocol 0 drops
0 babbles, collision end 0, 0 deferred
carrier, 0 no carrier, lost 0 0 interrupt output
output buffer, the output buffers 0 permuted 0 failures
Good infor
Now, did you ask your ISP if they made the last changes made?
I think that your suspcious is correct and if the number of packets do not match, then probably something in the environment has changed, since it worked before with the same configuration and IOS versions.
HTH.
-
Hi guys!
I have a little problem with my setup.
I would like to join the Y in X host through a VPN tunnel.
My setup works fine, until I have add this static nat entry:
-ip nat inside source static 10.20.20.1 198.41.10.1
In this case, the tunnel endpoints cannot reach each other (172.16.13.1 <->172.16.13.2).
The Ext_Router made the Nat translation and the tunnel is located between Ext_Router and R7.
What is the problem?
The configuration files are attached.
Hello
First, I would like to say that my relationship with GRE + IPsec have been pretty slim.
But what seems to me looking at the configurations and NAT, is that you must following configurations with respect to NAT on R5/Ext_Router
- Configuration of PAT translation for LAN 2 networking using the IP address of Serial 0/0 as a PAT address
- A static NAT for a single host LAN that uses ALSO address IP Serial0/0 for the translation.
If the NAT router operation is something like the Cisco PIX or ASA. The static NAT completely replaces PAT (overload) configuration and therefore no user belonging to networks source ACL 1 wont be able to use the NAT and therefore traffic will not work for them but should probably work for the host of the 10.20.20.1 Static NAT?
Could be the problem? Pourrait 198.41.10.x another IP, be used for the static NAT?
-Jouni
-
I have a question about how the traffic is game and in what order to a tunnel L2L. See the attached diagram. Side ASA5520 I configured the 192.168.12.0/24 NAT 10.252.43.0/24 subnet addresses as follows:
Global (outside) 1 10.252.43.0 netmask 255.255.255.0
NAT (inside) 1 192.168.12.0 255.255.255.0
Now, I want to send traffic to the 192.168.12.0/24 subnet for the subnet 10.10.26.0/24 above the tunnel. Which addresses correspond to side ASA5520 of the tunnel?
I don't know if it should be:
to_pix525 to access extended list ip 192.168.12.0 allow 255.255.255.0 10.10.26.0 255.255.255.0
or
access extensive list ip 10.252.43.0 to_pix525 allow 255.255.255.0 10.10.26.0 255.255.255.0
Thank you
-mike
Please change the acl on nat0inside as follows:
nat0inside to access extended list ip 192.168.12.0 allow 255.255.255.0 10.10.26.0 255.255.255.0
Everything else is fine.
--
Robet
-Please rate the solutions.
-
Need help to configure VPN NAT traffic to ip address external pool ASA
Hello
I need to configure vpn NAT ip address traffic external pool ASA
For example.
Apart from the ip address is 1.1.1.10
VPN traffic must be nat to 1.1.1.11
If I try to configure policy nat or static nat ASA gives me error "global address of overlap with mask.
Please, help me to solve this problem.
Thank you best regards &,.
Ramanantsoa
Thank you, and since you are just 1 IP 1.1.1.11 Polo, the traffic can only be initiated from your site to the remote end.
Here is the configuration of NAT:
access list nat - vpn ip 192.168.1.0 allow 255.255.255.0 10.0.0.0 255.255.0.0
NAT (inside) 5 access list nat - vpn
Overall 5 1.1.1.11 (outside)
In addition, the ACL crypto for the tunnel from site to site should be as follows:
access-list allow 1.1.1.11 ip host 10.0.0.0 255.255.0.0
Hope that helps.
-
ACL by crypto-interesting setting direct tunnel IPSEC-L2L
Hi all
I need to put additional hosts on the existing ACL crypto-interesting on a tunnel directly with real-time traffic.
I have a network-side remote engineer to apply the same to their end.
My question is it will interrupt existing tunnel/traffic if we put additional hosts on the ACL on both sides at the same time?
Thank you!
Each permit in TS in ACL generates its own IPsec security association.
There should be no impact on existing services - just pay more attention is not to introduce any overlap of the ACL.
Another topic that is very often updated card crypto DB that sometimes one must remove and re-add the crypto map configuration - which will cause traffic distruption.
Marcin
-
access list for traffic crossing and IPSEC
Hi, just a question fast and easy if everything goes well as im on thinking that he. IM on the establishment of the IPSEC between a Cisco router to another Cisco router. I want to only allow RDP through IPSEC.
I of course implement the ACL for the SHEEP, but I'll have to implement another ACL application outside? interface allowing a specific RDP server and denying everything.
Thank you
David
I have extracted this router to work. I changed some details to conceal the source, but it should illustrate what you need to do.
!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
address of examplekey key crypto isakmp 2.3.4.5
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac AES256SHA
tunnel mode
!
cust_map 10 ipsec-isakmp crypto map
defined peer 2.3.4.5
game of transformation-AES256SHA
match the address crypto_acl
!
interface GigabitEthernet8
cust_map card crypto
!
crypto_acl extended IP access list
host ip 192.168.25.52 permit 172.24.0.0 0.0.7.255
!HTH
Rick
-
ASA 8.4 (3) - applying NAT breaks my tunnel from site to site - "Routing failed.
So I'm a few 5510 preconfiguration is before shipment to the site. I have my tunnel VPN from Site to Site and can ping of internal subnets between the sites. However, as soon as I configure NAT on my interface my pings die outside. I checked a guide very full config posted by TAC and I think the answer is to set up two times-NAT, which I believe I did. I don't always get no package in the tunnel.
A hint, I found, is that I get the journaled message when NAT is applied & affecting routing "ASA-6-110003: routing could not locate the next hop for ICMP from Outside:10.56.8.4/512 to Internal:172.16.60.253/0.
Output sh run object / run object-group sh / sh run nat / show the two ASA nat: -.
SITE 1
= sh run object
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the BH-Asterisk object
host x.x.x.x
BG Hill Asterisk description
network of the BH-Exchange object
host x.x.x.x
BG Hill Exchange Server description
the DH - AV object network
10.56.20.0 subnet 255.255.255.0
Description AV DH
the DH-Asterisk object network
host x.x.x.x
DH Asterisk description
the object-Diffie-Hellman exchange network
Home 10.56.1.253
Description Exchange Diffie-Hellman
the DH-guests object network
10.56.8.0 subnet 255.255.255.0
DH customers description
the object DH ME network
10.56.24.0 subnet 255.255.255.0
DH ME description
the DH-phones object network
10.56.16.0 subnet 255.255.255.0
Description phones DH
network of the DH-security object
10.56.32.0 subnet 255.255.255.0
Description safety DH
DH-internal object network
10.56.1.0 subnet 255.255.255.0
Description internal DH
network object internally-BH
10.60.1.0 subnet 255.255.255.0
Description internal BH
network of the BH-phones object
10.60.16.0 subnet 255.255.255.0
Description BH phones
network of the BH-security object
10.60.32.0 subnet 255.255.255.0
BH Security description
network of the BH - AV object
10.60.20.0 subnet 255.255.255.0
Description AV BH
network of the BH-guests object
10.60.8.0 subnet 255.255.255.0
BH invited description
network of the BH - ASA object
host 1.1.1.1
the DH - ASA object network
host 1.1.1.2
network of the BH-RAS object
10.60.99.0 subnet 255.255.255.0
the DH-RAS object network
10.56.99.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.56.99.0_26 object
255.255.255.192 subnet 10.56.99.0
network of the BH-UC560 object
Home 172.16.60.253
network of the DH-UC560 object
Home 172.16.56.253= RJ5510-DOHA # sh run object-group
the BGHill object-group network
Description of subnets in BGHill
BH-internal network-object
network-object BH-phones
network-object BH - AV
network-object BH-security
network-object BH-guests
network-object BH-RAS
BH-UC560 network-object
object-group network DH
Description of subnets in DH
network-object DH - AV
network-object DH-guests
network-object DH ME
network-object DH-phones
network-object DH-security
DH-internal network-object
network-object DH-RAS
network object-DH-UC560= RJ5510-DH # sh run nat
NAT (AV, outdoors) static source DH DH static destination BGHill BGHill
NAT (comments, outdoors) static source DH DH static destination BGHill BGHill
NAT (inside, outside) static source DH DH static destination BGHill BGHill
NAT (phones, outdoors) static source DH DH static destination BGHill BGHill
NAT (safety, outdoors) static source DH DH static destination BGHill BGHill
NAT (ME out) static source DH DH static destination BGHill BGHill
!
the DH - AV object network
dynamic NAT interface (AV, outdoors)
the object-Diffie-Hellman exchange network
x.x.x.x static NAT (indoor, outdoor)
the DH-guests object network
dynamic NAT interface (comments, outdoors)
the object DH ME network
dynamic NAT interface (ME, outdoor)
the DH-phones object network
dynamic NAT interface (phones, outdoors)
network of the DH-security object
dynamic NAT interface (safety, outdoors)
DH-internal object network
dynamic NAT interface (indoor, outdoor)= HD-RJ5510 # see nat
Manual NAT policies (Section 1)
1 (f) (outdoor) static source DH DH destination static BGHill BGHill
translate_hits = 0, untranslate_hits = 386
2 (guest) (outdoor) static source DH DH destination static BGHill BGHill
translate_hits = 180, untranslate_hits = 0
3 (inside) (outside) static source DH DH destination static BGHill BGHill
translate_hits = 0, untranslate_hits = 0
4 (phones) (outdoor) static source DH DH destination static BGHill BGHill
translate_hits = 0, untranslate_hits = 0
5 (security) (outdoor) static source DH DH destination static BGHill BGHill
translate_hits = 0, untranslate_hits = 0
6 (ME) (outdoor) static source DH DH destination static BGHill BGHill
translate_hits = 0, untranslate_hits = 0Auto NAT policies (Section 2)
1 (outdoor) source static-Exchange Diffie-Hellman x.x.x.x (internal)
translate_hits = 0, untranslate_hits = 0
2 (internal) interface of DH-internal dynamics of the source (outdoor)
translate_hits = 0, untranslate_hits = 0
3 (comments) interface (outside) dynamic source DH-guests
translate_hits = 2, untranslate_hits = 0
4 (phones) to the dynamic interface of DH-phones of the source (outside)
translate_hits = 0, untranslate_hits = 0
5 (AV) to dynamic source DH - AV interface (outside)
translate_hits = 0, untranslate_hits = 0
6 (I) dynamic source DH-ME interface (outside)
translate_hits = 0, untranslate_hits = 0
7 (security) to DH-security dynamic interface of the source (outside)
translate_hits = 0, untranslate_hits = 0SITE 2: -.
= object # executed sh
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the BH-Asterisk object
host x.x.x.x
BH Hill Asterisk description
network of the BH-Exchange object
Home 10.60.1.253
BH Hill Exchange Server description
the DH - AV object network
10.56.20.0 subnet 255.255.255.0
Description AV DH
the DH-Asterisk object network
host x.x.x.x
DH Asterisk description
the object-Diffie-Hellman exchange network
host x.x.x.x
Description Exchange Diffie-Hellman
the DH-guests object network
10.56.8.0 subnet 255.255.255.0
DH customers description
the object DH ME network
10.56.24.0 subnet 255.255.255.0
DH ME description
the DH-phones object network
10.56.16.0 subnet 255.255.255.0
Description phones DH
network of the DH-security object
10.56.32.0 subnet 255.255.255.0
Description safety DH
DH-internal object network
10.56.1.0 subnet 255.255.255.0
Description internal DH
network object internally-BH
10.60.1.0 subnet 255.255.255.0
Description internal BH
network of the BH-phones object
10.60.16.0 subnet 255.255.255.0
Description BH phones
network of the BH-security object
10.60.32.0 subnet 255.255.255.0
BH Security description
network of the BH - AV object
10.60.20.0 subnet 255.255.255.0
Description AV BH
network of the BH-guests object
10.60.8.0 subnet 255.255.255.0
BH invited description
network of the BH - ASA object
host 1.1.1.1
the DH - ASA object network
host 1.1.1.2
network of the NETWORK_OBJ_10.60.99.0_26 object
255.255.255.192 subnet 10.60.99.0
network of the BH-RAS object
10.60.99.0 subnet 255.255.255.0
the DH-RAS object network
10.56.99.0 subnet 255.255.255.0
network of the BH-UC560 object
Home 172.16.60.253
network of the DH-UC560 object
Home 172.16.56.253= # sh run object-group
the BHHill object-group network
Description of subnets in BH Hill
BH-internal network-object
network-object BH-phones
network-object BH - AV
network-object BH-security
network-object BH-guests
network-object BH-RAS
BH-UC560 network-object
object-group network DH
Description of subnets in DH
network-object DH - AV
network-object DH-guests
network-object DH ME
network-object DH-phones
network-object DH-security
DH-internal network-object
network-object DH-RAS
network object-DH-UC560= # sh run nat
NAT (inside, outside) static source BHHill BHHill static destination DH DH
NAT (AV, outdoors) static source BHHill BHHill static destination DH DH
NAT (comments, outdoors) static source BHHill BHHill static destination DH DH
NAT (phones, outdoors) static source BHHill BHHill static destination DH DH
NAT (safety, outdoors) static source BHHill BHHill static destination DH DH
!
network of the BH-Exchange object
x.x.x.x static NAT (indoor, outdoor)
network object internally-BH
dynamic NAT interface (indoor, outdoor)
network of the BH-phones object
dynamic NAT interface (phones, outdoors)
network of the BH-security object
dynamic NAT interface (safety, outdoors)
network of the BH - AV object
dynamic NAT interface (AV, outdoors)
network of the BH-guests object
dynamic NAT interface (comments, outdoors)= # sh nat
Manual NAT policies (Section 1)
1 (inside) (outside) static source BHHill BHHill static destination DH DH
translate_hits = 421, untranslate_hits = 178
2 (AV) to (outside) static source BHHill BHHill static destination DH DH
translate_hits = 0, untranslate_hits = 0
3 (guest) (outdoor) static source BHHill BHHill static destination DH DH
translate_hits = 0, untranslate_hits = 0
4 (phones) (outdoor) static source BHHill BHHill static destination DH DH
translate_hits = 0, untranslate_hits = 0
5 (security) (outdoor) static source BHHill BHHill static destination DH DH
translate_hits = 0, untranslate_hits = 0Auto NAT policies (Section 2)
1 (outdoor) static source BH-Exchange x.x.x.x (internal)
translate_hits = 0, untranslate_hits = 0
2 (internal) interface of BH-internal dynamics of the source (outdoor)
translate_hits = 0, untranslate_hits = 0
3 (comments) interface (outside) dynamic source BH-guests
translate_hits = 0, untranslate_hits = 0
4 (phones) to the dynamic interface of BH-phones of the source (outside)
translate_hits = 0, untranslate_hits = 0
5 (AV) to dynamic source BH - AV interface (outside)
translate_hits = 0, untranslate_hits = 0
6 (security) at the interface of BH-security dynamic of the source (outdoor)
translate_hits = 0, untranslate_hits = 0
RJ5510-BH #.I admit that I am scoobied with this one, but I hope that someone will find the capture?
Thank you
In fact, the problem is with the NAT because because you use the same object on different States of NAT attached to different interfaces.
The SAA can go crazy with it...
I must leave now.
As soon as I get back I'll explain this a little further.
Kind regards
Julio
Note all useful posts
Maybe you are looking for
-
Satellite Pro L670 - 14 p set to upgrade to Windows 8 - ATI obsolete Driver
Hello Recently installed Windows 8 as part of a system dual boot on my laptop. I try to play one of the games I usually play on Windows 7 to find that it would not even start that graphics drivers have been exceeded. I tried the Toshiba site for comp
-
Canon pro 1 stops printing through an image
Help
-
Send desktop shortcuts to the Favorites folder in vista
original title: send to option in vista How can I send shortcuts on my desktop to Favorites folder. I could do this very easily by clicking and using XP "send to" and then office. Vista does not allow me to do. Am I missing something? Thank you
-
I installed a router (Cisco Linksys Wireless - N GigabitRouter) wireless to my laptop and now I'm trying to connect a desktop (Windows Vista) computer to the network, but he tells me that he doesn't have a wireless network card. How should I do to in
-
* Original title: display How can I shrink everything? My office, Web sites, all all jumped up and huge. I tried to search panel, but I'm doing something wrong. It's like watching my screen thanks to a huge magnifying glass.