NAT VPN outside-> dmz
Hi all
I have some problems with nat/sheep on a pix 515e.
the pix is connected to a tunnel of site2site on the external interface.
the problem is to ping the vpn tunnel to the hosts of the demilitarized zone.
I think it should with a static entry as follows:
static (outside, dmz) 10.43.26.0 10.43.26.0 netmask 255.255.254.0
but in the newspaper, I always get the message:
305005: no outside group translation not found for icmp src: 10.43.27.250 dmz:10.43.100.3 (type 8, code 0) dst
I also tried a nat rule 0 without success.
Then I attached a config performed:
access-list allowed sheep ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list allowed sheep ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0
access-list allowed sheep ip 10.0.0.0 255.0.0.0 200.1.58.0 255.255.255.0
access-list allowed sheep ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0
IP outdoor 199.99.99.2 255.255.254.0
IP address inside the 10.43.8.12 255.255.240.0
10.43.100.2 dmz IP address 255.255.255.0
Global (outside) 1 199.99.99.11 netmask 255.255.255.255
Global (outside) 1 199.99.99.14 netmask 255.255.255.255
Global (dmz) 1 10.43.100.50 - 10.43.100.98 netmask 255.255.255.0
Global (dmz) 1 10.43.100.99 netmask 255.255.255.0
NAT (inside) 0 access-list sheep
NAT (inside) 1 10.43.0.44 255.255.255.255 0 0
NAT (inside) 1 10.43.8.0 255.255.255.0 0 0
NAT (inside) 1 10.43.9.0 255.255.255.0 0 0
static (inside, outside) 199.99.99.2 tcp telnet 10.43.8.52 telnet netmask 255.255.255.255 0 0
static (inside, dmz) 10.43.8.29 10.43.8.29 netmask 255.255.255.255 0 0
static (inside, dmz) 10.43.8.20 10.43.8.20 netmask 255.255.255.255 0 0
static (dmz, external) 199.99.99.6 10.43.100.6 netmask 255.255.255.255 0 0
public static 199.99.99.7 (Interior, exterior) 10.43.9.56 netmask 255.255.255.255 0 0
public static 199.99.99.5 (Interior, exterior) 10.43.8.53 netmask 255.255.255.255 0 0
static (dmz, external) 199.99.99.4 10.43.100.4 netmask 255.255.255.255 0 0
static (dmz, external) 199.99.99.3 10.43.100.3 netmask 255.255.255.255 0 0
static (outside, dmz) 10.43.26.0 10.43.26.0 netmask 255.255.254.0 0 0
Access-group acl_out in interface outside
acl_in access to the interface inside group
Access-group acl_dmz in dmz interface
any tips?
Thank you
Armin
Without seeing the rest of the config it is difficult to tell you exactly what's happening (IE ACL, sysopt connection ipsec permits etc.)
However, you will need to have a sheep for the DMZ traffic back through the VPN:
IP 10.43.100.0 allow Access-list sheep-dmz 255.255.255.0 10.43.27.0 255.255.255.0
NAT (dmz) access-list sheep-dmz
Also remove the 10.43.26.0 static (outside, dmz) 10.43.26.0 netmask 255.255.254.0 0 0. I see no reason for you to destination NAT.
HTH
Tags: Cisco Security
Similar Questions
-
Hello
I d wishes to establish a vpn to a pix firewall 515 and pos version
7.0 (5) with a public dmz and nat translation.
inside: 10.5.10.0/24
outdoors: 1.1.1.1/27 (Beach)
DMZ: 2.2.2.2/27 (Beach)
distance inside the network:192.168.20.0/24
My area of encryption should be: 2.2.2.3/32--192.168.20.0/24
announcement I have a nat rule, which is:
NAT (inside the dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255
So basically I want to translate the connections coming from 2.2.2.3 to
10.5.10.28
the vpn is configured correctly and set up both sides, but the nat rule
with the vpn doesn't work.
Built of incoming TCP connections to outside:192.168.20.82/34237 4619
(192.168.20.82/34237) at dmz:2.2.2.3/22 (2.2.2.3/22)
but I can t see any traffic on the 10.5.10.28 Server, I see instead:
Built of incoming TCP connections to outside:192.168.20.82/34237 4619
((192.168.20.82/34237) at dmz:10.5.10.28/22(10.5.10.28/22)
any help would be great!
Kind regards
dural
Dural salvation
Could you specify just the line
NAT (inside the dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255
should we read
2.2.2.3 static (inside the dmz) 10.5.10.28 netmask 255.255.255.255
Also are you terminating the VPN on the external interface of your firewall is to say what is the IP address of the peer to your end.
You might not try
static (inside, outside) 2.2.2.2 10.5.10.28 netmask 255.255.255.255
* Edit - I meant
static (inside, outside) 2.2.2.3 10.5.10.28 netmask 255.255.255.255 *.
You need not actually traffic to DMZ, you?
If not do you have IP addresses available in the public system on your external interface?
HTH
Jon
-
I've recently updated to 8.3.2 and I have been informed of these NAT changes, but even after reading the https://supportforums.cisco.com/docs/DOC-12569 I am still unable to rectify the communication network 192.168.100.0 VPN with hosts on 172.16.1.0 and 172.16.9.0. VPN clients connect to the external interface, and I try to ping inside and the demilitarized zone, respectable 172.16.1.0 and 172.16.9.0 hosts. VPN client shows that the two previously mentioned networks such as roads of security, but still not to the ping pong.
# sh nat
Manual NAT policies (Section 1)
1 (inside) to the (whole) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
2 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
3 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0
translate_hits = 0, untranslate_hits = 0
4 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
5 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0
translate_hits = 0, untranslate_hits = 0
Auto NAT policies (Section 2)
1 (dmz), to the source (external) static obj - 172.16.9.5 interface tcp www www service
translate_hits = 0, untranslate_hits = 142
2 (dmz) (outdoor) source static obj - 172.16.9.5 - 01 interface service tcp 3389 3389
translate_hits = 0, untranslate_hits = 2
3 (dmz) (outdoor) source static obj - 172.16.9.5 - 02 interface tcp ldap ldap service
translate_hits = 0, untranslate_hits = 0
4 (dmz) (outdoor) source static obj interface - 172.16.9.5 - 03 service ftp ftp tcp
translate_hits = 0, untranslate_hits = 0
5 (dmz) to (outside) of the source static obj - 172.16.9.5 - 04 interface tcp smtp smtp service
translate_hits = 0, untranslate_hits = 267
6 (inside) source static obj - 172.16.9.0 172.16.9.0 (dmz)
translate_hits = 4070, untranslate_hits = 224
7 (inside) to (dmz) source static obj - 10.1.0.0 10.1.0.0
translate_hits = 0, untranslate_hits = 0
8 (inside) to (dmz) source static obj - 172.16.0.0 172.16.0.0
translate_hits = 152, untranslate_hits = 4082
9 (dmz) to dynamic interface of the obj - 172.16.9.0 - 01 source (outdoor)
translate_hits = 69, untranslate_hits = 0
10 (inside) to the obj_any interface dynamic source (external)
translate_hits = 196, untranslate_hits = 32
I think you must following two NAT config
NAT (inside, outside) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 192.168.100.0 obj - 192.168.100.0
NAT (dmz, external) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 192.168.100.0 obj - 192.168.100.0Please configure them and remove any additional NAT configuration and then try again.
-
ASA 5510 - VPN for DMZ with static rule?
I have a 5510 ASA with a number of virtual private networks to other sites, allowing the traffic to and from the Interior of the networks.
I need to establish a VPN rule to another site, but they have very little access to resources on my local network. Because I am not in control of the SAA on this end permanently, I need to control that access on my 5510.
(the following is not my real IP, but I use them for this example)
My network: 10.100.1.x
My DMZ: 192.168.1.x
Internal network of other sites: 172.16.1.x
I wanted to try to create a VPN between the site and the specific address of DMZ on my side and then allow access to internal addresses using static rules. I decided to use a static rule to enable http access to a specific server (for example):
static (inside, dmz) 192.168.1.200 tcp 80 10.100.1.200 80
I need allow traffic here:
access-list permits DMZ_IN tcp host 172.16.1.10 host 192.168.1.200 eq 80
Access-group interface dmz DMZ_IN
And of course, rules of access list which allow traffic that I can apply to the VPN:
toSite host 192.168.1.200 ip access list permit 172.16.1.10
And I don't want that traffic THAT NAT had between my DMZ and the other site:
nonatDMZ of the host 192.168.1.200 ip access list permit 172.16.1.10
NAT (dmz) 0-list of access nonatDMZ
NAT (dmz) 1 0.0.0.0 0.0.0.0
And, of course, the corresponding rules on their ASA must be in place, allowing traffic to 192.168.1.200, not NAT it.
Everything is in place, but 172.16.1.10 to 192.168.1.200 http traffic never reaches 10.100.1.200. I know the following:
1. the VPN is configured correctly. If I add rules allowing traffic to (and from) 172.16.1.10 and 10.100.1.200 directly, they work.
2 packet trace shows me that traffic is allowed.
3. the works of static rule: to access the 192.168.1.200:80 of another host on the same interface, DMZ, which brings me to 10.100.1.200:80
4. in the process of running a sniffer package on 10.100.1.200 shows 172.16.1.10 traffic does not reach it.
So I'm banging my head against the wall here. I'm sure it's something simple I'm missing. Anything else I need to check? Should I go about this a different way?
Thank you.
What you are trying to reach is not supported. You cannot configure NATing between the inside and the demilitarized zone interfaces while your VPN connection is from the external interface. The static NAT (inside the dmz) that you have configured will only work if the connection is initiated from the inside towards the demilitarized zone and vice versa.
I think that what you are trying to reach is only allowing access on TCP/80 to10.100.1.200 for the VPN tunnel.
You must configure your option 1:
1. the VPN is configured correctly. If I add rules allowing traffic to (and from) 172.16.1.10 and 10.100.1.200 directly, they work.
You can configure vpn-filter to limit the traffic to the only TCP/80, and he attributed to group policy that you have assigned to this particular tunnel group then.
Example:
web access list - allow permit tcp host 172.16.1.10 host 10.100.1.200 eq 80
internal group-policy-strategy web
attribute group web-strategy strategy
value of VPN-filter web - allows
global-tunnel-group attributes
Group Policy - by default-web-policy
Here is an example configuration for your reference:
Hope that helps.
-
8.2 policy-nat VPN port (5) ASA5510 of ASA5515 8.6 (1)
I have this existing config (which works) on ASA5510 v8.2 (5)
Need this port above ASA5515 v8.6 (1) running
ASA5510 inside the net: 192.168.1.0/24
On the remote VPN peer network: 172.16.21.192/28
!
InsideGlobal-2-OutsideNetwork to the list of allowed access host ip 10.0.200.211 172.16.21.192 255.255.255.240
InsideGlobal-2-OutsideNetwork to the list of allowed access host ip 10.0.202.39 172.16.21.192 255.255.255.240
!
InsideLocal.1 - 2-OutsideNetwork from the list of allowed access host ip 192.168.1.1 172.16.21.192 255.255.255.240
InsideLocal.191 - 2-OutsideNetwork to the list of allowed access host ip 192.168.1.191 172.16.21.192 255.255.255.240
!
public static 10.0.200.211 (inside, outside) access-list InsideLocal.1 - 2-OutsideNetwork
public static 10.0.202.39 (inside, outside) access-list InsideLocal.191 - 2-OutsideNetwork
!
correspondence address 1 card crypto outside_map InsideGlobal-2-OutsideNetwork
!I think what I need is the following:
!
network of the OBJ_172.16.21.192_28 object
subnet 172.16.21.192 255.255.255.240
!
network of the OBJ_10.0.200.211_32 object
Home 10.0.200.211
!
network of the OBJ_10.0.202.39_32 object
Home 10.0.202.39
!
network of the OBJ_192.168.1.1_32 object
host 192.168.1.1
!
network of the OBJ_192.168.1.191_32 object
Home 192.168.1.191
!
InsideGlobal-2-OutsideNetwork of the ip object OBJ_10.0.200.211_32 object OBJ_172.16.21.192_28 allowed extended access list
InsideGlobal-2-OutsideNetwork of the ip object OBJ_10.0.202.39_32 object OBJ_172.16.21.192_28 allowed extended access list
!
NAT (inside, outside) static source OBJ_192.168.1.1_32 OBJ_10.0.200.211_32 OBJ_172.16.21.192_28 OBJ_172.16.21.192_28 non-proxy-arp-search of route static destination
NAT (inside, outside) static source OBJ_192.168.1.191_32 OBJ_10.0.200.39_32 OBJ_172.16.21.192_28 OBJ_172.16.21.192_28 non-proxy-arp-search of route static destination
!
correspondence address 1 card crypto outside_map InsideGlobal-2-OutsideNetworkTHX - Phil
Hi Phil,
The converted 8.6.x 8.2.x configuration is correct. Go with him.
Vishnu
-
Issue of 8.3 to 8.2 NAT VPN SSL
In the study and test SSL VPN on a SAA, I have the network as shown in the attached diagram. The configuration is the result of an ASA with 8.3 but our ASA is 8.2 and at this time I am not familiar with the new NAT configuration and controls in 8.3 or later and wondering if anyone can translate the
«nat source (indoor, outdoor) static ' for me at a 8.2 version.»
Appreciate any help.
Jeff
NAT (inside, outside) static static source NETWORK_OBJ_192.168.100.0_RemotePool destination NETWORK_OBJ_192.168.3.0_Net1 NETWORK_OBJ_192.168.3.0_Net1 NETWORK_OBJ_192.168.100.0_RemotePool
Hello
This seems to be a NAT0 / NAT exempt in the new 8.3 + NAT format configuration
And I guess it would make sense that we are talking about VPN connections.
It should be something like this
the INTERIOR-NAT0 192.168.3.0 ip access list allow 255.255.255.0 192.168.100.0 255.255.255.0
NAT (inside) 0-list of access to the INTERIOR-NAT0
Naturally the names/networks used in the configuration can be different depending on your existing actual configurations on the firewall.
-Jouni
-
Hello
I'm working on a customer site and they have a problem with one of their VPN (we have other works well), but it is a major issue and I think it's because we use manual NAT and NAT of the object on the same server for different things.
Traffic between indoors and outdoors:
It works with a specific manual NAT rule of source from the server 10.10.10.10 object
Inside
SRC-> DST
10.10.10.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 SNAT
= VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw=""> It works with a specific using the NAT on the server of 10.10.10.10 object
Remote
SRC-> DST
1.1.1.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">= VPN =-> 1.1.2.10 1.1.1.10
1.1.1.10-> DNAT 10.10.10.10 If we have the manual NAT and NAT object it does anyway.
So the question is (as I am new to zip code 8.3 ASA) should not mix the 2 types of NAt and look at configuring it all with manual NAT or NAT object?
With the NAT object out it does not work as it is taken in ouside NAT inside all:
Dynamic NAT (inside, outside) source no matter what interface (this NAT to 1.1.1.1 then does not match the card encryption for VPN)
and I tried a no - nat above that, but that does not work either.
Straws and hugging come to mind try to configure a different config. Any pointers in the right direction would be great.
Kind regards
Z
Hello
I'm not sure that installing even with the explanation. Each NAT configuration I did for VPN used Section 1 Manual / NAT twice.
You have configured the rule by default PAT that you use as Section 1 NAT rule. NAT rules in the new software are divided into 3 sections
- Section 1: Manual / twice by NAT
- Section 2: Purpose NAT
- Section 3: Manual / double NAT (moved to section 3 using the setting "auto after")
- The Sections are passed by from 1 to 2 and 3 in order to find a match.
You should also notice that the Section 1 and Section 3 NAT has "line number" similar to the ACL parameter type. So if you have a default existing PAT rule configured for Section 1 and just add another Section 1 NAT rule without line/order number (VPN NAT) then it will just fall under the existing rule, making the new useless rule.
I would advice against the use of the rule by default PAT as Section 1 NAT rule. Finally, this means that you be constantly watch and edit its configuration when you try to configure more specific rules.
As a general rule 3 of the Section the PAT above default configuration would be the following
NAT (inside, outside) after the automatic termination of dynamic source no matter what interface
This would mean that you need to remove the old. That would mean as naturally as the change would temporarily dismantling all the current connections through "inside", "Outside" while you change the NAT rule format.
If after this configure a NAT twice to the VPN (wihtout the setting "auto after"), it will be the rule in article 1 while the default PAT will be Section 3. Of course, Section 1 will be matched first.
I'm not quite sure of what your setup of the foregoing have understood.
You're just source NAT?
I guess that the configuration you do is something like this?
network of the LAN-REAL object
10.10.10.0 subnet 255.255.255.0
purpose of the MAPPED in LAN network
1.1.1.0 subnet 255.255.255.0
being REMOTE-LAN network
1.1.2.0 subnet 255.255.255.0
NAT static destination of LAN LAN-REAL-MAPPED Shared source (indoor, outdoor) REMOTE - LAN LAN
If the network 1.1.1.0/24 is supposed to be one that is connected directly to your "external" to the format interface may need to be anything else.
-Jouni
-
Hello
I have a question on a Cisco ASA.
We strive to set up a VPN connection with a provider of our using the 172.16.1.0/24 subnet now that they already have another customer using 172.16.1.0/24, then NAT traffic on a different subnet before connecting to the provider. Is this possible? If yes how can I configure something like this?
172.16.1.0/24 is also used to access the internet.
That's what I have right now:
!
internet_cryptomap_2 to access ip 192.168.0.0 scope list allow 255.255.252.0 (subnet provider)
!
card crypto internet_map1 3 match address internet_cryptomap_2
internet_map1 crypto map peer set 3 (IP address of provider)
internet_map1 crypto map 3 the value transform-set tubis-transformset
internet_map1 crypto map 3 the value reverse-road
!
This VPN works, but only for the subnet listed in the cryptomap_2 unfortunately, I can't use 172.16.1.0/24 for this.
Anyone has any ideas how to solve this problem?
Kind regards
Tom
Yes, you can...
Assuming you want to 172.16.1.0/24 NAT to 10.16.1.0/24 when accessing the provider subnet 192.168.0.0
access list static-nat-to-vendor permit ip 172.16.1.0 255.255.255.0 192.168.0.0 255.255.252.0
public static 10.16.1.0 (inside, outside) access static-nat-to-provider list
access extensive list ip 10.16.1.0 internet_cryptomap_2 allow 255.255.255.0 192.168.0.0 255.255.252.0
Assuming you have ASA 8.2 or lower.
Otherwise, ASA 8.3 or higher:
network object obj - 172.16.1.0
subnet 172.16.1.0 255.255.255.0
network object obj - 10.16.1.0
10.16.1.0 subnet 255.255.255.0
network object obj - 192.168.0.0
Subnet 192.168.0.0 255.255.252.0
NAT (inside, outside) source static obj - 172.16.1.0 obj - 10.16.1.0 destination static obj - 192.168.0.0 obj - 192.168.0.0
-
Help without NAT and VPN Config DMZ.
Before VPN, we miss with 'nonatdmz '. Recently, we tried to implement the solution VPN using "VPNRA".
ASA IOS would only you are using a "NAT 0" at a time, how do you get around that.
TIA
nonatdmz list of allowed ip extended access any 192.168.100.0 255.255.255.0
NAT (inside) 0-list of access nonatdmz
Access extensive list ip 172.0.0.0 VPNRA allow 255.0.0.0 10.17.70.0 255.255.255.0
NAT (inside) 0-list of access VPNRA
You can add several lines to you nonatdmz access-list: for example:
nonatdmz list of allowed ip extended access any 192.168.100.0 255.255.255.0
access extensive list ip 172.0.0.0 nonatdmz allow 255.0.0.0 10.17.70.0 255.255.255.0
NAT (inside) 0-list of access nonatdmz
-
Try to find what happened. I had the remote end raise the tunnel, as they can ping resources on my side. I am unable to ping 10.90.238.148 through this tunnel. I used to be able to until the interface of K_Inc has been added. The network behind this interface is 10/8.
I asked a question earlier in another post and advises him to play opposite road of Cryptography. And who did it. I was able to ping 10.90.238.148 of 192.168.141.10, with the config below.
I am at a loss to why I can't all of a sudden. A bit of history, given routes have not changed. By adding the command set opposite road to cryptography, I find myself with a static entry for the 10.90.238.0 network is what fixed it initially so I don't think it's a problem of route. The remote end had an overlap with the 192.168.141.0/24 that is why my side is natted on the 10.40.27.0. None of the nats have changed so if adding the reverse route worked for a day, it should still work. Any thoughts?
interface GigabitEthernet0/3.10
VLAN 10
nameif K_Inc
security-level 100
IP address 192.168.10.254 255.255.255.0
interface GigabitEthernet0/3.141
VLAN 141
cold nameif
security-level 100
IP 192.168.141.254 255.255.255.0
(Cold) NAT 0 access-list sheep
NAT (cold) 1 192.168.141.0 255.255.255.0
Access extensive list ip 192.168.141.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0
Access extensive list ip 10.40.27.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0
Access extensive list ip 192.168.141.0 CSVPNNAT allow 255.255.255.0 10.90.238.0 255.255.255.0
IP 10.40.27.0 allow Access-list extended sheep 255.255.255.0 10.90.238.0 255.255.255.0
static 10.40.27.0 (cold, outside) - CSVPNNAT access list
card crypto Outside_map 5 corresponds to the address CSVPNOFFSITE
card crypto Outside_map 5 the value reverse-road
card crypto Outside_map 5 set pfs
card crypto Outside_map 5 set peer 20.x.x.3
Outside_map 5 transform-set ESP-3DES-MD5 crypto card game
card crypto Outside_map 5 defined security-association life seconds 28800
card crypto Outside_map 5 set security-association kilobytes of life 4608000
tunnel-group 20.x.x.3 type ipsec-l2l
20.x.x.3 Group of tunnel ipsec-attributes
pre-shared-key *.
Route outside 0.0.0.0 0.0.0.0 7.x.x.1 1
Route 10.0.0.0 K_Inc 255.192.0.0 192.168.10.252 1
Route K_Inc 10.64.0.0 255.224.0.0 192.168.10.252 1
Route K_Inc 10.100.100.0 255.255.255.0 192.168.10.252 1
Route K_Inc 10.128.0.0 255.128.0.0 192.168.10.252 1
Tunnel is up:
14 peer IKE: 20.x.x.243
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
EDIT:
I just noticed when tracer packet i run I don't get a phase VPN or encrypt:
Packet-trace entry cold tcp 192.168.141.10 80 80 10.90.238.148 det
Phase: 1
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new stream
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.90.238.0 255.255.255.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xad048d08, priority = 0, sector = option-ip-enabled, deny = true
hits = 2954624, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 4
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xb2ed4b80, priority = 72, domain = qos by class, deny = false
hits = 2954687, user_data = 0xb2ed49d8, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 5
Type: FOVER
Subtype: Eve-updated
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xad090180, priority = 20, area = read, deny = false
hits = 618776, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0, Protocol = 6
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (ColdSpring, external) 74.x.x.50 192.168.141.10 netmask 255.255.255.255
match ip host 192.168.141.10 ColdSpring outside of any
static translation at 74.x.x.50
translate_hits = 610710, untranslate_hits = 188039
Additional information:
Definition of static 192.168.141.10/0 to 74.112.122.50/0 using subnet mask 255.255.255.255
Direct flow from returns search rule:
ID = 0xac541e50, priority = 5, area = nat, deny = false
hits = 610742, user_data = 0xac541c08, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
SRC ip = 192.168.141.10, mask is 255.255.255.255, port = 0
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (ColdSpring, dmz) 192.168.141.0 192.168.141.0 netmask 255.255.255.0
match ip ColdSpring 192.168.141.0 255.255.255.0 dmz all
static translation at 192.168.141.0
translate_hits = 4194, untranslate_hits = 20032
Additional information:
Direct flow from returns search rule:
ID = 0xace2c1a0, priority = 5, area = host, deny = false
hits = 2954683, user_data = 0xace2ce68, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 192.168.141.0, mask is 255.255.255.0, port = 0
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xaacbcb90, priority = 0, sector = option-ip-enabled, deny = true
hits = 282827537, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xb2ed5c78, priority = 72, domain = qos by class, deny = false
hits = 4749562, user_data = 0xb2ed5ad0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 10
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 339487904 id, package sent to the next module
Information module for forward flow...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Information for reverse flow...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 11
Type:-ROUTE SEARCH
Subtype: output and contiguity
Result: ALLOW
Config:
Additional information:
found 7.x.x.1 of next hop using ifc of evacuation outside
contiguity Active
0007.B400.1402 address of stretch following mac typo 51982146
Result:
input interface: cold
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
What version are you running to ASA?
My guess is that your two static NAT is configured above policy nat you have configured for the VPN? If this is the case, move your above these static NAT NAT policy and you should see the traffic start to flow properly.
--
Please note all useful posts
-
Pool of dhcp NAT VPN to the LAN on router 2911
I need nat the ips assigned by dhcp vpn to my LAN pool. My problem is that I do not know which interface to set my nat statement on since there is no interface that is in the same subnet as my dhcp pool. Any help would be appreciated.
For remote client ipsec, you must have DVTI according to configuration described here:
http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t14/feature/guide/gtIPSctm...
'use ip nat inside' on the virtual model and 'ip nat outside' on the inside of the interface.
HTH
Averroès.
-
I just walked in this job to halfway through a passage of a software firewall to the cisco box. The config on this thing is crazy. I need help!
I need a VPN client from outside to the inside, so the IT Department. can access the network hardware. Next, we'll add a few static VPN for other devices...
In any case, I've tried everything even the wizard on a dev box to figure out what is preventing me from access to the network. I can establish a tunnel but can not get anywhere.
I've included the entire config because she is poor and the problem can come from anywhere.
Thanks for any help.
Hello.
It seems that you have not NOT nat the
VPN traffic to the intended internal networks.
I would add
10.125.1.0 IP Access-list extended nat0 255.255.255.0 allow 10.0.0.0 255.0.0.0
Of course you can adapt this more appropriate for internal networks, that you want to access.
You should also link ip pool to your group policy.
See how it goes...
Tim
-
I'm havening problems with NAT over VPN. with current configs below it will complete the first phase of the tunnel and then stop because the ip address is not natted. If I put a permit in the statement of the permits it will be nat to internet host, but not via the vpn. If I put in a static nat statement it will nat and attempt to create a tunnel but I get the error (increment the count of errors on his, try 1 5: retransmit the phase 1)
version 12.3
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname BatsVpnRouter
!
boot-start-marker
start the system flash c1700-k9o3sy7 - mz.122 - 13.T.bin
boot-end-marker
!
no console logging
Select the secret xxx
activate the password xxx
!
MMI-60 polling interval
No mmi self-configuring
No pvc mmi
MMI snmp-timeout 180
No aaa new-model
no ip subnet zero
!
IP cef
Max-events of po verification IP 100
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP crypto key xxx address 190.0.0.1
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac bats
!
bats_map 2 ipsec-isakmp crypto map
defined by peer 190.0.0.1
transformation-BALD-MOUSE game
-More - match address BATSACL
!
!
!
interface Ethernet0
IP address 11.0.x.x.255.255.224
NAT outside IP
full-duplex
bats_map card crypto
!
interface FastEthernet0
IP 192.168.1.2 255.255.255.0
IP nat inside
Speed 100
full-duplex
!
IP nat inside source list bats-nat interface Ethernet0 overload
IP classless
IP route 0.0.0.0 0.0.0.0 11.0.0.1
no ip address of the http server
no ip http secure server
!
BATSACL extended IP access list
permit ip host 11.0.0.5 200.0.0.1
192.168.1.100 ip permit host 200.0.0.1
permit ip host 11.0.0.5 200.0.0.2
192.168.1.100 ip permit host 200.0.0.2
permit ip host 11.0.0.5 200.0.0.3
192.168.1.100 ip permit host 200.0.0.3
IP extended access-list of the bats-nat
permit log host 200.0.0.1 host 192.168.1.100 ip
192.168.1.100 ip permit host 200.0.0.2
192.168.1.100 ip permit host 200.0.0.3
!
public RO SNMP-server community
Enable SNMP-Server intercepts ATS
alias exec clip claire rou ip *.
alias exec crs copy run start
alias exec deb187 debug ip pack det 187
alias exec ospfnei sh ip ospf nei
alias exec ship sho ip route
alias exec shr sho run
alias exec Ibis show ip brief inter
alias exec ip sip sho pro
alias exec tr traceroute
alias exec ss sho sess
sho alias exec sl online
alias exec cl clear line
!
Line con 0
line to 0
line vty 0 4
password xxx
opening of session
Ok. You must make sure that the ACl:s are the same (but in reverse) on both sides, which means that you probably need to remove a few lines on the Router 1. The ACL should look like this:
BATSACL extended IP access list
permit ip host 11.0.0.5 200.0.0.1
permit ip host 11.0.0.5 200.0.0.2
permit ip host 11.0.0.5 200.0.0.3
Remove the keyword "log" of this line:
IP extended access-list of the bats-nat
permit log host 200.0.0.1 host 192.168.1.100 ip
OK, now you've cleaned it, trying to make appear the tunnel again, try it with 200.0.0.1 and 200.0.0.2.
Then, check the remote debugging.
-
Public static political static NAT in conflict with NAT VPN
I have a situation where I need to create a VPN site-to site between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises where the LAN behind the Cisco ASA has the same subnet an existing VPN currently created on the Sonicwall. Since the Sonicwall cannot have two VPN both run on the same subnet, the solution is to use policy NAT on the SAA as well as for the Sonicwall, the new VPN seems to have a different subnet.
The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a private network virtual created for another customer with the same subnet). I try to translate it to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The ASA relevant configuration is:
interface Vlan1
IP 192.168.10.1 255.255.255.0
access extensive list ip 192.168.24.0 outside_1_cryptomap allow 255.255.255.0 10.159.0.0 255.255.255.0
list of access VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
public static 192.168.24.0 (inside, outside) - list of VPN access
card crypto outside_map 1 match address outside_1_cryptomap
In addition, there are other static NAT instructions and their associated ACLs that allow certain traffic through the firewall on the server, for example:
public static tcp (indoor, outdoor) interface smtp SERVER smtp netmask 255.255.255.255
The problem is this: when I enter the static strategy statement NAT, I get the message ' WARNING: real-address conflict with existing static "and then it refers to each of the static NAT statements reflecting the external address to the server. I've thought about it, and it seemed to me that the problem was that policy NAT statement must be the first statement of NAT (it is the last one) so that it is run first and all traffic destined to the VPN to the Sonicwall (destination 10.159.0.0/24) tunnel would be properly treated. If I left him as the last statement, then the other static NAT statements would prevent a part of the 10.159.0.0/24 network-bound traffic to be correctly routed through the VPN.
So, I tried first to my stated policy NAT upward in the ASDM GUI interface. However, moving the declaration was not allowed. Then I tried to delete the five static NAT statements that point to the server (an example is above) and then recreate them, hoping that would then move up the policy statement NAT. This also failed.
What Miss me?
Hello
I assumed that we could have changed the order of the 'static' , the original orders, but as it did not work for some reason any then it seems to me that you suggested or change, that I proposed should work.
I guess that your purpose was to set up static political PAT for the VPN for some these services, then static PAT of public network access, then static NAT to policy for the rest of the network in-house.
I guess you could choose any way seems best for you.
Let me know if get you it working. I always find it strange that the original configuration did not work.
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
Hello people, I had a lot of trouble trying to solve this problem, but hoping someone here can enlighten me.
I have a remote site that hosts a number of services that we manage remotely with an IPSec VPN connection. When connecting to the site connect us very well and can make most of the actions like RDP and connect to servers for maintenance, but a service fails to connect unless I have add a NAT rule exempt to the configuration of the router (ASA 5505).
Once this rule in place service work, but other services that initially worked work stoppage. In short, this rule must be in place while doing a single task, but then contracted for other tasks. I hope that there is some sort of rule or behavior, I can add to the ASDM configuration makes it so I don't have to manually add this rule whenever I connect.
Here are the details of the rule:
access-list 1 permit line outside_nat0_outbound extended ip 192.168.15.192 255.255.255.192 192.168.15.0 255.255.255.0
NAT (outside) 0 outside_nat0_outbound list access outside tcp udp 0 0 0
When the connection is established without the rule in place the ASDM syslog shows these warnings:
Deny tcp src inside: outside:10.100.32.203/135 dst
61745 by access-group "inside_access_in" [0x0, 0x0] The strange thing is 10.100.32.203 is IP internal my host computer. This is not yet the external IP address of the network I connect from.
Is it possible a problem with the VPN pool using a subset of the subnet of the VIRTUAL LAN inside? Inside VLAN is 192.168.15.0/24 and the VPN is 192.168.15.200 - 250. I am ready to reconfigure the VPN address pool but need to do remotely, and am unaware of how to do this reconfiguration safely without losing my remote access, since physical access to the router itself is currently very difficult.
If more details are needed, I am happy to give them.
Hi GrahamB,
Yes, the problem with too much running in subnet.
There are a lot of private-address available, so please create a new group policy and tunnel-group and fill
pool separate to value ip address and remote with it, when the new cluster to solve your problem, can safely remove the old one.
I hope this helps.
Thank you
Rizwan Muhammed.
Maybe you are looking for
-
I want to disable my caller ID. This message was transferred from its previous location to create his own new topic here; his subject and/or the title has been changed to differentiate the position of other requests for information and to reflect the
-
Add left/right arrows on tiles
When sending photos from Live Photo Gallery, the left/right arrows lead to many random add on the slab which appear to be ads. How can I prevent this?
-
Getting error while trying to open a program on Windows 7
Everytime I open a program, I keep getting this error report or a similar one. Anyone know what is happening?
-
Hi all Just a simple Q. I got a unit 2 of UCS in my infra. I need to change the IP address IP private to public IP address. What I see, I need to change the IP address below. 1 IP address of the Interface IP address & Cluster management 2 pool of IP
-
Removal of blackBerry Smartphones applications
I want to delete brickbreaker and some other applications. They do not appear in my application loader.