NAT VPN
I'm havening problems with NAT over VPN. with current configs below it will complete the first phase of the tunnel and then stop because the ip address is not natted. If I put a permit in the statement of the permits it will be nat to internet host, but not via the vpn. If I put in a static nat statement it will nat and attempt to create a tunnel but I get the error (increment the count of errors on his, try 1 5: retransmit the phase 1)
version 12.3
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname BatsVpnRouter
!
boot-start-marker
start the system flash c1700-k9o3sy7 - mz.122 - 13.T.bin
boot-end-marker
!
no console logging
Select the secret xxx
activate the password xxx
!
MMI-60 polling interval
No mmi self-configuring
No pvc mmi
MMI snmp-timeout 180
No aaa new-model
no ip subnet zero
!
IP cef
Max-events of po verification IP 100
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP crypto key xxx address 190.0.0.1
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac bats
!
bats_map 2 ipsec-isakmp crypto map
defined by peer 190.0.0.1
transformation-BALD-MOUSE game
-More - match address BATSACL
!
!
!
interface Ethernet0
IP address 11.0.x.x.255.255.224
NAT outside IP
full-duplex
bats_map card crypto
!
interface FastEthernet0
IP 192.168.1.2 255.255.255.0
IP nat inside
Speed 100
full-duplex
!
IP nat inside source list bats-nat interface Ethernet0 overload
IP classless
IP route 0.0.0.0 0.0.0.0 11.0.0.1
no ip address of the http server
no ip http secure server
!
BATSACL extended IP access list
permit ip host 11.0.0.5 200.0.0.1
192.168.1.100 ip permit host 200.0.0.1
permit ip host 11.0.0.5 200.0.0.2
192.168.1.100 ip permit host 200.0.0.2
permit ip host 11.0.0.5 200.0.0.3
192.168.1.100 ip permit host 200.0.0.3
IP extended access-list of the bats-nat
permit log host 200.0.0.1 host 192.168.1.100 ip
192.168.1.100 ip permit host 200.0.0.2
192.168.1.100 ip permit host 200.0.0.3
!
public RO SNMP-server community
Enable SNMP-Server intercepts ATS
alias exec clip claire rou ip *.
alias exec crs copy run start
alias exec deb187 debug ip pack det 187
alias exec ospfnei sh ip ospf nei
alias exec ship sho ip route
alias exec shr sho run
alias exec Ibis show ip brief inter
alias exec ip sip sho pro
alias exec tr traceroute
alias exec ss sho sess
sho alias exec sl online
alias exec cl clear line
!
Line con 0
line to 0
line vty 0 4
password xxx
opening of session
Ok. You must make sure that the ACl:s are the same (but in reverse) on both sides, which means that you probably need to remove a few lines on the Router 1. The ACL should look like this:
BATSACL extended IP access list
permit ip host 11.0.0.5 200.0.0.1
permit ip host 11.0.0.5 200.0.0.2
permit ip host 11.0.0.5 200.0.0.3
Remove the keyword "log" of this line:
IP extended access-list of the bats-nat
permit log host 200.0.0.1 host 192.168.1.100 ip
OK, now you've cleaned it, trying to make appear the tunnel again, try it with 200.0.0.1 and 200.0.0.2.
Then, check the remote debugging.
Tags: Cisco Security
Similar Questions
-
We have a place where you want to set up a tunnel VPN to our headquarters.
In this place, there is a router that PAT (NAT overloading), and then a few jumps more, there is a firewall that makes the NAT.
Is this could pose a problem for the VPN tunnel?
Here's a "pattern" of what looks like the connection.
Customer--> PAT - router-->--> Internet--> CVPN3005 NAT firewall
I hope you can provide me with an answer.
VPN tunnel will not work in your scenario. NAT second change address and the ports you want to use for the vpn tunnel. So the port 500 wil be translated to top port and will be rejected at HQ.
-
I have read on several posts on the topic and still think I'm missing something, I'm looking for help.
Basically, I'm now implementing multiple VPN tunnels for external connections. We strive to keep the external "private addresses" our basic using NAT network.
I can get the Tunnel to work without problems using the ACL SHEEP; However, this technique requires that our internal network is aware of their external addresses "private." Our goal is to enter an address on the inside that is NAT to the external address 'private' and then shipped via the VPN tunnel. Basically to hide the external address 'private' of our internal systems that they would appear as thought the connection was one of our own networks.
The reverse is true coming from their external 'private' network. Any information of "their" private network external origin would result in our 'private' on arrival address space.
Is this possible? I am attaching a schema, which could help.
Hello
Yes, this should be possible. Lets say you allocate 10.112.2.250 as the address that you use to present the external server 192.168.10.10.
On your ASA device
public static 10.112.2.250 (exterior, Interior) 192.168.10.10 netmask 255.255.255.255
You will need to make sure that when the system tries to connect to 10.112.2.250 it is routed to the device of the SAA.
HTH
Jon
-
Pool of dhcp NAT VPN to the LAN on router 2911
I need nat the ips assigned by dhcp vpn to my LAN pool. My problem is that I do not know which interface to set my nat statement on since there is no interface that is in the same subnet as my dhcp pool. Any help would be appreciated.
For remote client ipsec, you must have DVTI according to configuration described here:
http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t14/feature/guide/gtIPSctm...
'use ip nat inside' on the virtual model and 'ip nat outside' on the inside of the interface.
HTH
Averroès.
-
NAT VPN tunnel and still access Internet traffic
Hello
Thank you in advance for any help you can provide.
I have a server with the IP 192.168.1.9 that needs to access a subnet remote from 192.168.50.0/24, through the Internet. However, before the server can access the remote subnet, the server IP must be NAT'ed to 10.1.0.1 because the VPN gateway remote (which is not under my control) allows access to other customers who have the same subnet address that we do on our local network.
We have a 2801 Cisco (running c2801-advsecurityk9 - mz.124 - 15.T9.bin) set up to make the NAT. It is the only gateway on our network.
I have configured the Cisco 2801 with the following statements of NAT and the relevant access lists:
access-list 106 allow host ip 192.168.1.9 192.168.50.0 0.0.0.255
NAT extended IP access list
refuse the host ip 192.168.1.9 192.168.50.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ip permit 192.168.1.0 0.0.0.255 anyroute allowed ISP 10 map
corresponds to the IP NATIP nat EMDVPN 10.1.0.1 pool 10.1.0.1 netmask 255.255.255.0
IP nat inside source list 106 pool EMDVPN
IP nat inside source map route ISP interface FastEthernet0/1 overloadWhen the server (192.168.1.9) attempts to ping on the subnet of 192.168.50.0/24 devices, the VPN tunnel is established successfully. However, after that, the server is no longer able to access the Internet because the NAT translation for 192.168.1.9 has changed since the external IP address of the router (FastEthernet0/1) at 10.1.0.1.
The documentation I've seen on the site of Cisco says that this type of Setup allows only host subnet communication. Internet access is not possible. However, maybe I missed something, or one of you experts can help me. Is it possible to configure the NAT router traffic destined to the VPN tunnel and still access the Internet by using the dynamic NAT on FastEthernet0/1?
Once again, thank you for any help you can give.
Alex
Hello
Rather than use a pool for NAT
192.168.1.9 - 10.1.0.1 > 192.168.50.x
ACL 102 permit ip 192.168.1.9 host 192.168.50.0 0.0.0.255
RM-STATIC-NAT route map permit 10
corresponds to the IP 102IP nat inside source static 192.168.1.9 10.1.0.1 card expandable RM-STATIC-NAT route
ACL 101 deny host ip 192.168.1.9 192.168.50.0 0.0.0.255
ACL 101 by ip 192.168.1.0 0.0.0.255 any
overload of IP nat inside source list 101 interface FastEthernet0/1VPN access list will use the source as 10.1.0.1... *.
Let me know if it works.
Concerning
M
-
8.2 policy-nat VPN port (5) ASA5510 of ASA5515 8.6 (1)
I have this existing config (which works) on ASA5510 v8.2 (5)
Need this port above ASA5515 v8.6 (1) running
ASA5510 inside the net: 192.168.1.0/24
On the remote VPN peer network: 172.16.21.192/28
!
InsideGlobal-2-OutsideNetwork to the list of allowed access host ip 10.0.200.211 172.16.21.192 255.255.255.240
InsideGlobal-2-OutsideNetwork to the list of allowed access host ip 10.0.202.39 172.16.21.192 255.255.255.240
!
InsideLocal.1 - 2-OutsideNetwork from the list of allowed access host ip 192.168.1.1 172.16.21.192 255.255.255.240
InsideLocal.191 - 2-OutsideNetwork to the list of allowed access host ip 192.168.1.191 172.16.21.192 255.255.255.240
!
public static 10.0.200.211 (inside, outside) access-list InsideLocal.1 - 2-OutsideNetwork
public static 10.0.202.39 (inside, outside) access-list InsideLocal.191 - 2-OutsideNetwork
!
correspondence address 1 card crypto outside_map InsideGlobal-2-OutsideNetwork
!I think what I need is the following:
!
network of the OBJ_172.16.21.192_28 object
subnet 172.16.21.192 255.255.255.240
!
network of the OBJ_10.0.200.211_32 object
Home 10.0.200.211
!
network of the OBJ_10.0.202.39_32 object
Home 10.0.202.39
!
network of the OBJ_192.168.1.1_32 object
host 192.168.1.1
!
network of the OBJ_192.168.1.191_32 object
Home 192.168.1.191
!
InsideGlobal-2-OutsideNetwork of the ip object OBJ_10.0.200.211_32 object OBJ_172.16.21.192_28 allowed extended access list
InsideGlobal-2-OutsideNetwork of the ip object OBJ_10.0.202.39_32 object OBJ_172.16.21.192_28 allowed extended access list
!
NAT (inside, outside) static source OBJ_192.168.1.1_32 OBJ_10.0.200.211_32 OBJ_172.16.21.192_28 OBJ_172.16.21.192_28 non-proxy-arp-search of route static destination
NAT (inside, outside) static source OBJ_192.168.1.191_32 OBJ_10.0.200.39_32 OBJ_172.16.21.192_28 OBJ_172.16.21.192_28 non-proxy-arp-search of route static destination
!
correspondence address 1 card crypto outside_map InsideGlobal-2-OutsideNetworkTHX - Phil
Hi Phil,
The converted 8.6.x 8.2.x configuration is correct. Go with him.
Vishnu
-
I've recently updated to 8.3.2 and I have been informed of these NAT changes, but even after reading the https://supportforums.cisco.com/docs/DOC-12569 I am still unable to rectify the communication network 192.168.100.0 VPN with hosts on 172.16.1.0 and 172.16.9.0. VPN clients connect to the external interface, and I try to ping inside and the demilitarized zone, respectable 172.16.1.0 and 172.16.9.0 hosts. VPN client shows that the two previously mentioned networks such as roads of security, but still not to the ping pong.
# sh nat
Manual NAT policies (Section 1)
1 (inside) to the (whole) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
2 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
3 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0
translate_hits = 0, untranslate_hits = 0
4 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
5 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0
translate_hits = 0, untranslate_hits = 0
Auto NAT policies (Section 2)
1 (dmz), to the source (external) static obj - 172.16.9.5 interface tcp www www service
translate_hits = 0, untranslate_hits = 142
2 (dmz) (outdoor) source static obj - 172.16.9.5 - 01 interface service tcp 3389 3389
translate_hits = 0, untranslate_hits = 2
3 (dmz) (outdoor) source static obj - 172.16.9.5 - 02 interface tcp ldap ldap service
translate_hits = 0, untranslate_hits = 0
4 (dmz) (outdoor) source static obj interface - 172.16.9.5 - 03 service ftp ftp tcp
translate_hits = 0, untranslate_hits = 0
5 (dmz) to (outside) of the source static obj - 172.16.9.5 - 04 interface tcp smtp smtp service
translate_hits = 0, untranslate_hits = 267
6 (inside) source static obj - 172.16.9.0 172.16.9.0 (dmz)
translate_hits = 4070, untranslate_hits = 224
7 (inside) to (dmz) source static obj - 10.1.0.0 10.1.0.0
translate_hits = 0, untranslate_hits = 0
8 (inside) to (dmz) source static obj - 172.16.0.0 172.16.0.0
translate_hits = 152, untranslate_hits = 4082
9 (dmz) to dynamic interface of the obj - 172.16.9.0 - 01 source (outdoor)
translate_hits = 69, untranslate_hits = 0
10 (inside) to the obj_any interface dynamic source (external)
translate_hits = 196, untranslate_hits = 32
I think you must following two NAT config
NAT (inside, outside) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 192.168.100.0 obj - 192.168.100.0
NAT (dmz, external) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 192.168.100.0 obj - 192.168.100.0Please configure them and remove any additional NAT configuration and then try again.
-
Public static political static NAT in conflict with NAT VPN
I have a situation where I need to create a VPN site-to site between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises where the LAN behind the Cisco ASA has the same subnet an existing VPN currently created on the Sonicwall. Since the Sonicwall cannot have two VPN both run on the same subnet, the solution is to use policy NAT on the SAA as well as for the Sonicwall, the new VPN seems to have a different subnet.
The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a private network virtual created for another customer with the same subnet). I try to translate it to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The ASA relevant configuration is:
interface Vlan1
IP 192.168.10.1 255.255.255.0
access extensive list ip 192.168.24.0 outside_1_cryptomap allow 255.255.255.0 10.159.0.0 255.255.255.0
list of access VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
public static 192.168.24.0 (inside, outside) - list of VPN access
card crypto outside_map 1 match address outside_1_cryptomap
In addition, there are other static NAT instructions and their associated ACLs that allow certain traffic through the firewall on the server, for example:
public static tcp (indoor, outdoor) interface smtp SERVER smtp netmask 255.255.255.255
The problem is this: when I enter the static strategy statement NAT, I get the message ' WARNING: real-address conflict with existing static "and then it refers to each of the static NAT statements reflecting the external address to the server. I've thought about it, and it seemed to me that the problem was that policy NAT statement must be the first statement of NAT (it is the last one) so that it is run first and all traffic destined to the VPN to the Sonicwall (destination 10.159.0.0/24) tunnel would be properly treated. If I left him as the last statement, then the other static NAT statements would prevent a part of the 10.159.0.0/24 network-bound traffic to be correctly routed through the VPN.
So, I tried first to my stated policy NAT upward in the ASDM GUI interface. However, moving the declaration was not allowed. Then I tried to delete the five static NAT statements that point to the server (an example is above) and then recreate them, hoping that would then move up the policy statement NAT. This also failed.
What Miss me?
Hello
I assumed that we could have changed the order of the 'static' , the original orders, but as it did not work for some reason any then it seems to me that you suggested or change, that I proposed should work.
I guess that your purpose was to set up static political PAT for the VPN for some these services, then static PAT of public network access, then static NAT to policy for the rest of the network in-house.
I guess you could choose any way seems best for you.
Let me know if get you it working. I always find it strange that the original configuration did not work.
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
Try to find what happened. I had the remote end raise the tunnel, as they can ping resources on my side. I am unable to ping 10.90.238.148 through this tunnel. I used to be able to until the interface of K_Inc has been added. The network behind this interface is 10/8.
I asked a question earlier in another post and advises him to play opposite road of Cryptography. And who did it. I was able to ping 10.90.238.148 of 192.168.141.10, with the config below.
I am at a loss to why I can't all of a sudden. A bit of history, given routes have not changed. By adding the command set opposite road to cryptography, I find myself with a static entry for the 10.90.238.0 network is what fixed it initially so I don't think it's a problem of route. The remote end had an overlap with the 192.168.141.0/24 that is why my side is natted on the 10.40.27.0. None of the nats have changed so if adding the reverse route worked for a day, it should still work. Any thoughts?
interface GigabitEthernet0/3.10
VLAN 10
nameif K_Inc
security-level 100
IP address 192.168.10.254 255.255.255.0
interface GigabitEthernet0/3.141
VLAN 141
cold nameif
security-level 100
IP 192.168.141.254 255.255.255.0
(Cold) NAT 0 access-list sheep
NAT (cold) 1 192.168.141.0 255.255.255.0
Access extensive list ip 192.168.141.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0
Access extensive list ip 10.40.27.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0
Access extensive list ip 192.168.141.0 CSVPNNAT allow 255.255.255.0 10.90.238.0 255.255.255.0
IP 10.40.27.0 allow Access-list extended sheep 255.255.255.0 10.90.238.0 255.255.255.0
static 10.40.27.0 (cold, outside) - CSVPNNAT access list
card crypto Outside_map 5 corresponds to the address CSVPNOFFSITE
card crypto Outside_map 5 the value reverse-road
card crypto Outside_map 5 set pfs
card crypto Outside_map 5 set peer 20.x.x.3
Outside_map 5 transform-set ESP-3DES-MD5 crypto card game
card crypto Outside_map 5 defined security-association life seconds 28800
card crypto Outside_map 5 set security-association kilobytes of life 4608000
tunnel-group 20.x.x.3 type ipsec-l2l
20.x.x.3 Group of tunnel ipsec-attributes
pre-shared-key *.
Route outside 0.0.0.0 0.0.0.0 7.x.x.1 1
Route 10.0.0.0 K_Inc 255.192.0.0 192.168.10.252 1
Route K_Inc 10.64.0.0 255.224.0.0 192.168.10.252 1
Route K_Inc 10.100.100.0 255.255.255.0 192.168.10.252 1
Route K_Inc 10.128.0.0 255.128.0.0 192.168.10.252 1
Tunnel is up:
14 peer IKE: 20.x.x.243
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
EDIT:
I just noticed when tracer packet i run I don't get a phase VPN or encrypt:
Packet-trace entry cold tcp 192.168.141.10 80 80 10.90.238.148 det
Phase: 1
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new stream
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.90.238.0 255.255.255.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xad048d08, priority = 0, sector = option-ip-enabled, deny = true
hits = 2954624, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 4
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xb2ed4b80, priority = 72, domain = qos by class, deny = false
hits = 2954687, user_data = 0xb2ed49d8, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 5
Type: FOVER
Subtype: Eve-updated
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xad090180, priority = 20, area = read, deny = false
hits = 618776, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0, Protocol = 6
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (ColdSpring, external) 74.x.x.50 192.168.141.10 netmask 255.255.255.255
match ip host 192.168.141.10 ColdSpring outside of any
static translation at 74.x.x.50
translate_hits = 610710, untranslate_hits = 188039
Additional information:
Definition of static 192.168.141.10/0 to 74.112.122.50/0 using subnet mask 255.255.255.255
Direct flow from returns search rule:
ID = 0xac541e50, priority = 5, area = nat, deny = false
hits = 610742, user_data = 0xac541c08, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
SRC ip = 192.168.141.10, mask is 255.255.255.255, port = 0
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (ColdSpring, dmz) 192.168.141.0 192.168.141.0 netmask 255.255.255.0
match ip ColdSpring 192.168.141.0 255.255.255.0 dmz all
static translation at 192.168.141.0
translate_hits = 4194, untranslate_hits = 20032
Additional information:
Direct flow from returns search rule:
ID = 0xace2c1a0, priority = 5, area = host, deny = false
hits = 2954683, user_data = 0xace2ce68, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 192.168.141.0, mask is 255.255.255.0, port = 0
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xaacbcb90, priority = 0, sector = option-ip-enabled, deny = true
hits = 282827537, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xb2ed5c78, priority = 72, domain = qos by class, deny = false
hits = 4749562, user_data = 0xb2ed5ad0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 10
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 339487904 id, package sent to the next module
Information module for forward flow...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Information for reverse flow...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 11
Type:-ROUTE SEARCH
Subtype: output and contiguity
Result: ALLOW
Config:
Additional information:
found 7.x.x.1 of next hop using ifc of evacuation outside
contiguity Active
0007.B400.1402 address of stretch following mac typo 51982146
Result:
input interface: cold
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
What version are you running to ASA?
My guess is that your two static NAT is configured above policy nat you have configured for the VPN? If this is the case, move your above these static NAT NAT policy and you should see the traffic start to flow properly.
--
Please note all useful posts
-
Hello people, I had a lot of trouble trying to solve this problem, but hoping someone here can enlighten me.
I have a remote site that hosts a number of services that we manage remotely with an IPSec VPN connection. When connecting to the site connect us very well and can make most of the actions like RDP and connect to servers for maintenance, but a service fails to connect unless I have add a NAT rule exempt to the configuration of the router (ASA 5505).
Once this rule in place service work, but other services that initially worked work stoppage. In short, this rule must be in place while doing a single task, but then contracted for other tasks. I hope that there is some sort of rule or behavior, I can add to the ASDM configuration makes it so I don't have to manually add this rule whenever I connect.
Here are the details of the rule:
access-list 1 permit line outside_nat0_outbound extended ip 192.168.15.192 255.255.255.192 192.168.15.0 255.255.255.0
NAT (outside) 0 outside_nat0_outbound list access outside tcp udp 0 0 0
When the connection is established without the rule in place the ASDM syslog shows these warnings:
Deny tcp src inside: outside:10.100.32.203/135 dst
61745 by access-group "inside_access_in" [0x0, 0x0] The strange thing is 10.100.32.203 is IP internal my host computer. This is not yet the external IP address of the network I connect from.
Is it possible a problem with the VPN pool using a subset of the subnet of the VIRTUAL LAN inside? Inside VLAN is 192.168.15.0/24 and the VPN is 192.168.15.200 - 250. I am ready to reconfigure the VPN address pool but need to do remotely, and am unaware of how to do this reconfiguration safely without losing my remote access, since physical access to the router itself is currently very difficult.
If more details are needed, I am happy to give them.
Hi GrahamB,
Yes, the problem with too much running in subnet.
There are a lot of private-address available, so please create a new group policy and tunnel-group and fill
pool separate to value ip address and remote with it, when the new cluster to solve your problem, can safely remove the old one.
I hope this helps.
Thank you
Rizwan Muhammed.
-
Issue of 8.3 to 8.2 NAT VPN SSL
In the study and test SSL VPN on a SAA, I have the network as shown in the attached diagram. The configuration is the result of an ASA with 8.3 but our ASA is 8.2 and at this time I am not familiar with the new NAT configuration and controls in 8.3 or later and wondering if anyone can translate the
«nat source (indoor, outdoor) static ' for me at a 8.2 version.»
Appreciate any help.
Jeff
NAT (inside, outside) static static source NETWORK_OBJ_192.168.100.0_RemotePool destination NETWORK_OBJ_192.168.3.0_Net1 NETWORK_OBJ_192.168.3.0_Net1 NETWORK_OBJ_192.168.100.0_RemotePool
Hello
This seems to be a NAT0 / NAT exempt in the new 8.3 + NAT format configuration
And I guess it would make sense that we are talking about VPN connections.
It should be something like this
the INTERIOR-NAT0 192.168.3.0 ip access list allow 255.255.255.0 192.168.100.0 255.255.255.0
NAT (inside) 0-list of access to the INTERIOR-NAT0
Naturally the names/networks used in the configuration can be different depending on your existing actual configurations on the firewall.
-Jouni
-
8.4 ASA using NAT VPN issue.
Hello
I'm working on a customer site and they have a problem with one of their VPN (we have other works well), but it is a major issue and I think it's because we use manual NAT and NAT of the object on the same server for different things.
Traffic between indoors and outdoors:
It works with a specific manual NAT rule of source from the server 10.10.10.10 object
Inside
SRC-> DST
10.10.10.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 SNAT
= VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw=""> It works with a specific using the NAT on the server of 10.10.10.10 object
Remote
SRC-> DST
1.1.1.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">= VPN =-> 1.1.2.10 1.1.1.10
1.1.1.10-> DNAT 10.10.10.10 3rd>3rd>If we have the manual NAT and NAT object it does anyway.
So the question is (as I am new to zip code 8.3 ASA) should not mix the 2 types of NAt and look at configuring it all with manual NAT or NAT object?
With the NAT object out it does not work as it is taken in ouside NAT inside all:
Dynamic NAT (inside, outside) source no matter what interface (this NAT to 1.1.1.1 then does not match the card encryption for VPN)
and I tried a no - nat above that, but that does not work either.
Straws and hugging come to mind try to configure a different config. Any pointers in the right direction would be great.
Kind regards
Z
Hello
I'm not sure that installing even with the explanation. Each NAT configuration I did for VPN used Section 1 Manual / NAT twice.
You have configured the rule by default PAT that you use as Section 1 NAT rule. NAT rules in the new software are divided into 3 sections
- Section 1: Manual / twice by NAT
- Section 2: Purpose NAT
- Section 3: Manual / double NAT (moved to section 3 using the setting "auto after")
- The Sections are passed by from 1 to 2 and 3 in order to find a match.
You should also notice that the Section 1 and Section 3 NAT has "line number" similar to the ACL parameter type. So if you have a default existing PAT rule configured for Section 1 and just add another Section 1 NAT rule without line/order number (VPN NAT) then it will just fall under the existing rule, making the new useless rule.
I would advice against the use of the rule by default PAT as Section 1 NAT rule. Finally, this means that you be constantly watch and edit its configuration when you try to configure more specific rules.
As a general rule 3 of the Section the PAT above default configuration would be the following
NAT (inside, outside) after the automatic termination of dynamic source no matter what interface
This would mean that you need to remove the old. That would mean as naturally as the change would temporarily dismantling all the current connections through "inside", "Outside" while you change the NAT rule format.
If after this configure a NAT twice to the VPN (wihtout the setting "auto after"), it will be the rule in article 1 while the default PAT will be Section 3. Of course, Section 1 will be matched first.
I'm not quite sure of what your setup of the foregoing have understood.
You're just source NAT?
I guess that the configuration you do is something like this?
network of the LAN-REAL object
10.10.10.0 subnet 255.255.255.0
purpose of the MAPPED in LAN network
1.1.1.0 subnet 255.255.255.0
being REMOTE-LAN network
1.1.2.0 subnet 255.255.255.0
NAT static destination of LAN LAN-REAL-MAPPED Shared source (indoor, outdoor) REMOTE - LAN LAN
If the network 1.1.1.0/24 is supposed to be one that is connected directly to your "external" to the format interface may need to be anything else.
-Jouni
-
Remote access via NAT VPN client
I currently have a PIX506e configured to provide access to the Cisco VPN Clients remote vpn. A single client can connect successfully and have access to the planned network. However, as soon as I connect an additional client to the firewall from the same place (the two addresses are translated under the same address) the two tunnels will stop working or could not connect.
Is the problem that I face, because two customers have the same address public after NAT, or is - it something else? Is there a way to get around this?
Hello
A lot of THAT NAT will not work if you use ESP.
The solution for this is to allow NAT - t on PIX and VPN client.
PIX:
The following command active NAT - T (for codes plus late 6.3)
ISAKMP nat-traversal
The VPN Client:
On the Transport tab, under the tab "Enable Transport Tunneling" & select "IPSec over UDP (NAT/PAT).
HTH
Kind regards
GE.
-
I have a VPN tunnel configured with this NAT scenario.
permit l2lnat1 to access extended list ip 10.1.1.1 host 172.16.1.1
permit access list extended ip host 10.1.1.2 l2lnat2 172.16.1.1
static (Inside, Outside) 192.168.1.1 access-list l2lnat1
static (Inside, Outside) 192.168.1.2 access-list l2lnat2
This NAT will be bidirectional? In other words if the remote side of 172 try to pull up the tunnel, he will come to the top and nat to allow them to communicate or do I need to have opposite source and destination of each access list for the static method work in the opposite direction.
Thank you.
Hi Ty,
Assuming that you are running the OS pre 8.3 version, then NAT configuration that you have demonstrated is bidirectional as in
http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/nat_static.html#wp1080960
According taffic wearing the tunnel upward depends on the configuration of ACL encryption. In your case I think you want NAT 10.1.1.1 (10.1.1.2) to 192.168.1.1 (192.168.1.2) while contacting 172.16.1.1 (172.16.1.2), so what ACL crypto should look as below, because the encryption is finally done:
ACL_CRYPTO allowed ip 192.168.1.1 host 172.16.1.1
ACL_CRYPTO allowed ip 192.168.1.2 host 172.16.1.2
Accordigny peer it IPsec must have above ACL mirrored:
ACL_CRYPTO_PEER allowed ip 172.16.1.1 host 192.168.1.1
ACL_CRYPTO_PEER allowed host 172.16.1.2 ip 192.168.1.2
Kind regards
Pawel
-
Hi all
I have some problems with nat/sheep on a pix 515e.
the pix is connected to a tunnel of site2site on the external interface.
the problem is to ping the vpn tunnel to the hosts of the demilitarized zone.
I think it should with a static entry as follows:
static (outside, dmz) 10.43.26.0 10.43.26.0 netmask 255.255.254.0
but in the newspaper, I always get the message:
305005: no outside group translation not found for icmp src: 10.43.27.250 dmz:10.43.100.3 (type 8, code 0) dst
I also tried a nat rule 0 without success.
Then I attached a config performed:
access-list allowed sheep ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list allowed sheep ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0
access-list allowed sheep ip 10.0.0.0 255.0.0.0 200.1.58.0 255.255.255.0
access-list allowed sheep ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0
IP outdoor 199.99.99.2 255.255.254.0
IP address inside the 10.43.8.12 255.255.240.0
10.43.100.2 dmz IP address 255.255.255.0
Global (outside) 1 199.99.99.11 netmask 255.255.255.255
Global (outside) 1 199.99.99.14 netmask 255.255.255.255
Global (dmz) 1 10.43.100.50 - 10.43.100.98 netmask 255.255.255.0
Global (dmz) 1 10.43.100.99 netmask 255.255.255.0
NAT (inside) 0 access-list sheep
NAT (inside) 1 10.43.0.44 255.255.255.255 0 0
NAT (inside) 1 10.43.8.0 255.255.255.0 0 0
NAT (inside) 1 10.43.9.0 255.255.255.0 0 0
static (inside, outside) 199.99.99.2 tcp telnet 10.43.8.52 telnet netmask 255.255.255.255 0 0
static (inside, dmz) 10.43.8.29 10.43.8.29 netmask 255.255.255.255 0 0
static (inside, dmz) 10.43.8.20 10.43.8.20 netmask 255.255.255.255 0 0
static (dmz, external) 199.99.99.6 10.43.100.6 netmask 255.255.255.255 0 0
public static 199.99.99.7 (Interior, exterior) 10.43.9.56 netmask 255.255.255.255 0 0
public static 199.99.99.5 (Interior, exterior) 10.43.8.53 netmask 255.255.255.255 0 0
static (dmz, external) 199.99.99.4 10.43.100.4 netmask 255.255.255.255 0 0
static (dmz, external) 199.99.99.3 10.43.100.3 netmask 255.255.255.255 0 0
static (outside, dmz) 10.43.26.0 10.43.26.0 netmask 255.255.254.0 0 0
Access-group acl_out in interface outside
acl_in access to the interface inside group
Access-group acl_dmz in dmz interface
any tips?
Thank you
Armin
Without seeing the rest of the config it is difficult to tell you exactly what's happening (IE ACL, sysopt connection ipsec permits etc.)
However, you will need to have a sheep for the DMZ traffic back through the VPN:
IP 10.43.100.0 allow Access-list sheep-dmz 255.255.255.0 10.43.27.0 255.255.255.0
NAT (dmz) access-list sheep-dmz
Also remove the 10.43.26.0 static (outside, dmz) 10.43.26.0 netmask 255.255.254.0 0 0. I see no reason for you to destination NAT.
HTH
Maybe you are looking for
-
Wireless more than Seagate and office
Hello Recently, I bought a Seagate Wireless Plus to use with my Ipad2. I need mainly to be used for a large number of Word and Excel docs I have is that I use when I am away from home. I noticed that whenever I try to open a document using the Seagat
-
I have problem to open windows 8... I don't remember the email from Outlook... and I can't open the windows... the computer is Compaq 15 Notebook pc
-
Transfer of the laptop to windows phone
Can I use the same application or steps that they use for desktop computer to transfer items from my laptop to my windows phone?
-
connection 2nd screen in vista
I'm trying to connect a monitor 2nd in vista using the 6670 radeon graphics card. 2nd monitor is not detected. any ideas?
-
I try to use Windows Backup and Restore Center to back up files on a server on our network home. The computer sees the server and can read, write, and delete files in the shared folder on the disc. When I try to use the Windows backup software I get