NAT with VPN
Hello friends
I m noob with firewall and I create a VPN site-to-site with a customer with the tracking information:
My site:
10.204.x.x/24
10.69.0.0/24
others
Customer site:
172.30.20.0/24
But my site 10.69.0.0 network is an internal network of the client, that they asked me to do a NAT when the network 10.69.0.0 will 172.30.20.0 them must go out with the IP 172.30.100.0.
Anyone know what can make it work configurations?
Thank you
Marcio,
You can use a political static NAT:
network of the LAN object - 10.69.0.0
subnet 10.69.0.0 255.255.x.x
network object obj - 172.30.100.0_nat
172.30.100.0 subnet 255.255.255.0
network object obj - 172.30.20.0
172.30.20.0 subnet 255.255.255.0
NAT (inside, outside) source static LAN - 10.69.0.0 obj - 172.30.100.0_nat destination static obj - 172.30.20.0 obj - 172.30.20.0
-JP-
Tags: Cisco Security
Similar Questions
-
Static NAT with the road map for excluding the VPN
We have problems of access to certain IPs NATted static via a VPN. After some research, we have learned that you have to exclude traffic destined for the VPN to the static NAT using a road map. So we did this:
10.1.1.x is the VPN IP pool.
access-list 130 refuse ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 allow ip 192.168.1.0 0.0.0.255 anysheep allowed 10 route map
corresponds to the IP 130IP nat inside source static 192.168.1.5 1.1.1.1 sheep map route
Above worked to fix the VPN but the IP 192.168.1.5 is no longer publicly available via 1.1.1.1. What seems to happen, is that the static NAT is not really work and this IP address is NATted with the IP of PAT.
Any ideas on how to get this to work?
Thank you
DiegoHello
The following example details exactly your case:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml
Try to replace the 192.168.1.0 subnet by the host address.
It should work
HTH
Laurent.
-
IOS - help with VPN IPsec L2L with NAT
Hello guys
I tried to get VPN to work for a specific scenario where I do NAT for VPN traffic to avoid the duplication of subnet.
I found several guides on cisco.com, but all the ones I found does not (or how) overload NAT (for internet traffic), I need for my setup.
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800b07ed.shtml
http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a0ece4.shtml
Basically, I need to know how the configuration looks like when make you static NAT in a VPN tunnel as well as provide internet connectivity using NAT in the same router?
I have attached a drawing that needs to better explain my needs.
Someone knows a guide that shows how to do this?
Best regards
Jesper
You can use a static policy NAT NAT the traffic:
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255
access-list 102 deny ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
policy-NAT allowed 10 route map
corresponds to the IP 101
internet-NAT allowed 10 route map
corresponds to the IP 102
IP nat inside source static network 10.0.0.0 road policy-NAT 10.30.10.0/24-feuille
IP nat inside source map route internet-NAT interface overloading
Hope that helps.
-
Making the NAT for VPN through L2L tunnel clients
Hi.I has the following situation in my network. We need for users who log on our site with the VPN clients to connect to another site via a tunnel L2L. The problem is that I need NAT addresses from the pool of VPN client in another beach before going on the L2L tunnel because on the other side, we have duplication of networks.
I tried to do NAT with little success as follows:
ACL for pool NAT of VPN:
Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.0.0 255.255.255.0
Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.5.0 255.255.255.0
NAT:
Global 172.20.105.1 - 172.20.105.254 15 (outdoor)
NAT (inside) 15 TEST access-list
CRYPTO ACL:
allowed ro access list extended LAN ip 255.255.0.0 192.168.0.0 255.255.255.0
allowed ro access list extended LAN ip 255.255.0.0 192.168.5.0 255.255.255.0
IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.0.0 255.255.255.0
IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.5.0 255.255.255.0
permit same-security-traffic intra-interface
Am I missing something here? Something like this is possible at all?
Thanks in advance for any help.
We use the ASA 5510 with software version 8.0 (3) 6.
You need nat to the outside, not the inside.
NAT (outside) 15 TEST access-list
-
Summary:
We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.
My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.
Here is the config:
# #List of OUR guests
the OURHosts object-group network
network-host 192.168.x.y object
# Hosts PARTNER #List
the PARTNERHosts object-group network
network-host 10.2.a.b object
###ACL for NAT
# Many - to - many outgoing
access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts
# One - to - many incoming
VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group
# #NAT
NAT (INSIDE) 2-list of access NAT2
NAT (OUTSIDE) 2 172.20.n.0
NAT (INSIDE) 3 access-list VIH3
NAT (OUTSIDE) 3 172.20.n.1
# #ACL for VPN
access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group
access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list
# #Tunnel
tunnel-group
type ipsec-l2l card
<#>crypto is the VPN address card crypto
<#>the value transform-set VPN #>card
<#>crypto defined peer #> #>I realize that the ACL for the VPN should read:
access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list
access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list
.. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.
What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?
Thanks in advance.
Patrick
Here is the order of operations for NAT on the firewall:
1 nat 0-list of access (free from nat)
2. match the existing xlates
3. match the static controls
a. static NAT with no access list
b. static PAT with no access list
4. match orders nat
a. nat [id] access-list (first match)
b. nat [id] [address] [mask] (best match)
i. If the ID is 0, create an xlate identity
II. use global pool for dynamic NAT
III. use global dynamic pool for PAT
If you can try
(1) a static NAT with an access list that will have priority on instruction of dynamic NAT
(2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.
I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.
Jon
-
Problem with "vpn sysopt connection permit.
Hi all
I would like to ask you for advice with "vpn sysopt connection permit". I have a problem with by-pass-access list (acl) in the INSIDE interface. As I understand it and I'm going to use this command, there is no need to especialy allow traffic in the access list for the INSIDE and I can control the filter-vpn traffic. But in my case it's quite the opposite, I want particularly to this INTERIOR acl traffi. When I allow this traffic inside acl L2L tunnel rises, hollow traffic flow vpn-fltr ane acl that everything is OK. But when I do not allow that this traffic is inside of the rule with Deny statement in acl INSIDE block traffic and tunnel goes ever upward. Part of the configuraciton which you can view below.
Please let me know if I'm wrong, or what I did wrong?
Thank you
Karel
PHA-FW01 # view worm | Worm Inc
Cisco Adaptive Security Appliance Software Version 4,0000 1
PHA-FW01 # display ru all sys
No timewait sysopt connection
Sysopt connection tcpmss 1380
Sysopt connection tcpmss minimum 0
Sysopt connection permit VPN
Sysopt connection VPN-reclassify
No sysopt preserve-vpn-stream connection
no RADIUS secret ignore sysopt
No inside sysopt noproxyarp
No EXT-VLAN20 sysopt noproxyarp
No EXT-WIFI-VLAN30 sysopt noproxyarp
No OUTSIDE sysopt noproxyarp
PHA-FW01 # display the id of the object-group ALGOTECH
object-group network ALGOTECH
object-network 10.10.22.0 255.255.255.0
host of the object-Network 172.16.15.11
PHA-FW01 # show running-config id of the object VLAN20
network of the VLAN20 object
subnet 10.1.2.0 255.255.255.0
L2L_to_ALGOTECH list extended access permitted ip object object-group VLAN20 ALGOTECH
extended access list ACL-ALGOTECH allow ip object-group object VLAN20 ALGOTECH
Note EXT-VLAN20 of access list =.
access list EXT-VLAN20 allowed extended ip object VLAN20 ALGOTECH #why object-group must be the rule here?
access list EXT-VLAN20 extended permitted udp object VLAN20 object-group OUT-DNS-SERVERS eq field
EXT-VLAN20 allowed extended VLAN20 object VPN-USERS ip access list
EXT-VLAN20 extended access list permit ip object VLAN20 OPENVPN-SASPO object-group
EXT-VLAN20 allowed extended object VLAN10 VLAN20 ip access list
deny access list extended VLAN20 EXT ip no matter what LOCAL NETS of object-group paper
EXT-VLAN20 allowed extended icmp access list no echo
access list EXT-VLAN20 allowed extended object-group SERVICE VLAN20 object VLAN20 everything
EXT-VLAN20 extended access list deny ip any any newspaper
extended access list ACL-ALGOTECH allow ip object-group object VLAN20 ALGOTECH
GROUP_POLICY-91 group policy. X 41. X.12 internal
GROUP_POLICY-91 group policy. X 41. X.12 attributes
value of VPN-filter ACL-ALGOTECH
Ikev1 VPN-tunnel-Protocol
tunnel-group 91.X41. X.12 type ipsec-l2l
tunnel-group 91.X41. X.12 General attributes
Group Policy - by default-GROUP_POLICY-91. X 41. X.12
tunnel-group 91.X41. X.12 ipsec-attributes
IKEv1 pre-shared-key *.
PHA-FW01 # show running-config nat
NAT (EXT-VLAN20, outdoors) static source VLAN20 VLAN20 static destination ALGOTECH ALGOTECH non-proxy-arp-search to itinerary
network of the VLAN20 object
dynamic NAT interface (EXT-VLAN20, outdoors)
group-access to the INTERIOR in the interface inside
Access-group interface VLAN20 EXT EXT-VLAN20
Hello
The command "sysopt connection permit-vpn" is the default setting and it applies only to bypass ACL interface to the interface that ends the VPN. It would be connected to the external network interface. This custom has no effect on the other interfaces ACL interface.
So if you initiate or need to open connections from your local network to remote network through the VPN L2L connection then you will need to allow this traffic on your LAN interface ACL networks.
If the situation was that only the remote end has launched connections to your network then 'sysopt permit vpn connection' would allow their connections around the external interfaces ACL. If If you have a VPN configured ACL filter, I think that the traffic will always accompany against this ACL.
Here are the ASA reference section to order custom "sysopt"
http://www.Cisco.com/en/us/docs/security/ASA/command-reference/S21.html#wp1567918
-Jouni
-
I have two problems with IPSEC VPN, using the cisco client, and a third, which I think could answer here if this isn't strictly associated with VPN.
1. cannot access the internet, while VPN is in place. This can be a problem of client as I * think * I've split tunneling to install correctly.
2. cannot access other networks except the network associated with the inside interface natively.
3. I can not ping to the internet from inside, be it on the VPN or not.
I tend to use the SMDA; Please, if possible, keep the answer to this kindof of entry.
Here is the config:
Output of the command: "sh run".
: Saved
:
ASA Version 8.4 (1)
!
hostname BVGW
domain blueVector.com
activate qWxO.XjLGf3hYkQ1 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 10
IP 5.29.79.10 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
IP 172.17.1.2 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 172.19.1.1 255.255.255.0
management only
!
passive FTP mode
DNS server-group DefaultDNS
domain blueVector.com
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
the subject of WiFi network
172.17.100.0 subnet 255.255.255.0
WiFi description
the object to the Interior-net network
172.17.1.0 subnet 255.255.255.0
network of the NOSPAM object
Home 172.17.1.60
network of the BH2 object
Home 172.17.1.60
the EX2 object network
Home 172.17.1.61
Description internal Exchange / SMTP outgoing
the Mail2 object network
Home 5.29.79.11
Description Ext EX2
network of the NETWORK_OBJ_172.17.1.240_28 object
subnet 172.17.1.240 255.255.255.240
network of the NETWORK_OBJ_172.17.200.0_24 object
172.17.200.0 subnet 255.255.255.0
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
the DM_INLINE_NETWORK_1 object-group network
network-object BH2
network-object NOSPAM
Outside_access_in list extended access permit tcp any eq smtp DM_INLINE_NETWORK_1 object-group
Outside_access_in list extended access permit tcp any object object-group DM_INLINE_TCP_1 BH2
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
mask pool local 172.17.1.240 - 172.17.1.250 VPN IP 255.255.255.0
mask pool local 172.17.200.100 - 172.17.200.200 VPN2 IP 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source EX2 Mail2
NAT (inside, outside) static source all all NETWORK_OBJ_172.17.1.240_28 of NETWORK_OBJ_172.17.1.240_28 static destination
NAT (inside, outside) static source all all NETWORK_OBJ_172.17.200.0_24 of NETWORK_OBJ_172.17.200.0_24 static destination
NAT (inside, outside) static source to the Interior-NET Interior-net destination static NETWORK_OBJ_172.17.1.240_28 NETWORK_OBJ_172.17.1.240_28
!
the object to the Interior-net network
NAT (inside, outside) dynamic interface
network of the NOSPAM object
NAT (inside, outside) static 5.29.79.12
Access-group Outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 5.29.79.9 1
Route inside 10.2.0.0 255.255.255.0 172.17.1.1 1
Route inside 10.3.0.0 255.255.255.128 172.17.1.1 1
Route inside 10.10.10.0 255.255.255.0 172.17.1.1 1
Route inside 172.17.100.0 255.255.255.0 172.17.1.3 1
Route inside 172.18.1.0 255.255.255.0 172.17.1.1 1
Route inside 192.168.1.0 255.255.255.0 172.17.1.1 1
Route inside 192.168.11.0 255.255.255.0 172.17.1.1 1
Route inside 192.168.30.0 255.255.255.0 172.17.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server blueVec protocol ldap
blueVec AAA-server (inside) host 172.17.1.41
LDAP-base-dn DC = adrs1, DC = net
LDAP-group-base-dn DC = EIM, DC = net
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn CN = Hanna\, Roger, OU = human, or = WPLAdministrator, DC = adrs1, DC = net
microsoft server type
Enable http server
http 192.168.1.0 255.255.255.0 management
http 172.17.1.0 255.255.255.0 inside
http 24.32.208.223 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
Outside_map interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
authentication crack
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 172.17.1.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd address 172.17.1.100 - 172.17.1.200 inside
dhcpd 4.2.2.2 dns 8.8.8.8 interface inside
dhcpd lease interface 100000 inside
dhcpd adrs1.net area inside interface
!
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
WebVPN
internal blueV group policy
attributes of the strategy of group blueV
value of server WINS 172.17.1.41
value of 172.17.1.41 DNS server 172.17.1.42
Ikev1 VPN-tunnel-Protocol
value by default-field ADRS1.NET
internal blueV_1 group policy
attributes of the strategy of group blueV_1
value of server WINS 172.17.1.41
value of 172.17.1.41 DNS server 172.17.1.42
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
adrs1.NET value by default-field
username gwhitten encrypted password privilege 0 8fLfC1TTV35zytjA
username gwhitten attributes
VPN-group-policy blueV
rparker encrypted FnbvAdOZxk4r40E5 privilege 15 password username
attributes of username rparker
VPN-group-policy blueV
username mhale encrypted password privilege 0 2reWKpsLC5em3o1P
username mhale attributes
VPN-group-policy blueV
VpnUser2 SlHbkDWqPQLgylxJ encrypted privilege 0 username password
username VpnUser2 attributes
VPN-group-policy blueV
Vpnuser3 R6zHxBM9chjqBPHl encrypted privilege 0 username password
username Vpnuser3 attributes
VPN-group-policy blueV
username VpnUser1 encrypted password privilege 0 mLHXwxsjJEIziFgb
username VpnUser1 attributes
VPN-group-policy blueV
username dcoletto encrypted password privilege 0 g53yRiEqpcYkSyYS
username dcoletto attributes
VPN-group-policy blueV
username, password jmcleod aSV6RHsq7Wn/YJ7X encrypted privilege 0
username jmcleod attributes
VPN-group-policy blueV
rhanna encrypted Pd3E3vqnGmV84Ds2 privilege 15 password username
rhanna attributes username
VPN-group-policy blueV
username rheimann encrypted password privilege 0 tHH5ZYDXJ0qKyxnk
username rheimann attributes
VPN-group-policy blueV
username jwoosley encrypted password privilege 0 yBOc8ubzzbeBXmuo
username jwoosley attributes
VPN-group-policy blueV
2DBQVSUbfTBuxC8u encrypted password privilege 0 kdavis username
kdavis username attributes
VPN-group-policy blueV
username mbell encrypted password privilege 0 adskOOsnVPnw6eJD
username mbell attributes
VPN-group-policy blueV
bmiller dpqK9cKk50J7TuPN encrypted password privilege 0 username
bmiller username attributes
VPN-group-policy blueV
type tunnel-group blueV remote access
tunnel-group blueV General-attributes
address VPN2 pool
authentication-server-group blueVec
Group Policy - by default-blueV_1
blueV group of tunnel ipsec-attributes
IKEv1 pre-shablue-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
HPM topN enable
Cryptochecksum:2491a825fb8a81439a6c80288f33818e
: end
Any help is appreciated!
-Roger
Hey,.
Unfortunately, I do not use ASDM myself but will always mention things that could be done.
You do not split tunneling. All traffic either tunnel to the ASA, while VPN is active
You have the following line under the "group policy"
Split-tunnel-policy tunnelspecified
You will also need this line
Split-tunnel-network-list value
Defines the destination for the VPN Client networks. If you go in on the side of the ASDM group policy settings, you should see that no ACL is selected. You don't really seem to have an ACL in the configuration above, for the split tunneling?
To activate access Internet via the VPN Client now in the current configuration, I would say the following configuration of NAT
VPN-CLIENT-PAT-SOURCE network object-group
object-network 172.17.200.0 255.255.255.0
NAT (outside, outdoor) automatic interface after dynamic source VPN-CLIENT-PAT-SOURCE
In regards to the traffic does not for other networks, I'm not really sure. I guess they aren't hitting the rule NAT that are configured. I think they should, but I guess they aren't because its does not work
I could myself try the following configuration of NAT
object-group, network LAN-NETWORKS
object-network 10.2.0.0 255.255.255.0
object-network 10.3.0.0 255.255.255.128
object-network 10.10.10.0 255.255.255.0
object-network 172.17.100.0 255.255.255.0
object-network 172.18.1.0 255.255.255.0
object-network 192.168.1.0 255.255.255.0
object-network 192.168.11.0 255.255.255.0
object-network 192.168.30.0 255.255.255.0
object-group, network VPN-POOL
object-network 172.17.200.0 255.255.255.0
NAT (inside, outside) static static source of destination LAN-LAN-NETWORK VPN-VPN-POOL
Add ICMP ICMP Inspection
Policy-map global_policy
class inspection_default
inspect the icmp
or alternatively
fixup protocol icmp
This will allow automatically response to ICMP echo messages pass through the firewall. I assume that they are is blocked by the firewall now since you did not previously enable ICMP Inspection.
-Jouni
-
Difficulty accessing 1 remote desktop when connected with VPN
Hello world
I have an ASA 5505 and have a problem where when I connect via VPN, I can RDP into a server using its internal address but I can't RDP to another server using its internal address.
One that I can connect to a an IP of 192.168.2.10 and I can't connect to a a 192.168.2.11 on 3390 port IP address.
The two rules are configured exactly the same except for the IP addresses and I can't see why I can't connect to this server.
I am also able to connect to my camera system with an IP on port 37777 192.168.2.25 and able to ping any other device on the network internal.
I also tried ping he and Telnet to port 3390 without success.
Here is the config.
ASA 4,0000 Version 1
!
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.2.2 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
10.1.1.1 IP address 255.255.255.0
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the OWTS-LAN-OUT object
10.1.1.10 range 10.1.1.49
network of the OWTS-LAN-IN object
Subnet 192.168.2.0 255.255.255.0
service of the RDP3389 object
service destination tcp 3389 eq
Description of DC
the object SERVER-IN network
host 192.168.2.10
network of the SERVER-OUT object
Home 10.1.1.50
network of the CAMERA-IN-TCP object
Home 192.168.2.25
network of the CAMERA-OUT object
Home 10.1.1.51
service object CAMERA-TCP
Service tcp destination eq 37777
the object SERVER-Virt-IN network
Home 192.168.2.11
network of the SERVER-Virt-OUT object
Home 10.1.1.52
service of the RDP3390 object
Service tcp destination eq 3390
Description of VS for Master
network of the CAMERA-IN-UDP object
Home 192.168.2.25
service object CAMERA-UDP
Service udp destination eq 37778
the object OWTS LAN OUT VPN network
subnet 10.1.1.128 255.255.255.128
the object SERVER-Virt-IN-VPN network
Home 192.168.2.11
the object SERVER-IN-VPN network
host 192.168.2.10
the object CAMERA-IN-VPN network
Home 192.168.2.25
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
AnyConnect_Client_Local_Print deny ip extended access list a whole
AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd
Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631
print the access-list AnyConnect_Client_Local_Print Note Windows port
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353
AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355
Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137
AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns
implicit rule of access-list inside1_access_in Note: allow all traffic to less secure networks
inside1_access_in of access allowed any ip an extended list
outside_access_in list extended access allowed object RDP3389 any host 192.168.2.10
outside_access_in list extended access allowed object RDP3390 any host 192.168.2.11
outside_access_in list extended access allowed object CAMERA TCP any host 192.168.2.25
outside_access_in list extended access allowed object CAMERA UDP any host 192.168.2.25
pager lines 24
Enable logging
exploitation forest-size of the buffer 10240
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
local pool RAVPN 10.1.1.129 - 10.1.1.254 255.255.255.128 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT static destination SERVER-IN-VPN SERVER-IN-VPN (indoor, outdoor) static source OWTS LAN OUT VPN OWTS-LAN-OUT-VPN
NAT static destination of CAMERA-IN-VPN VPN-IN-CAMERA (indoor, outdoor) static source OWTS LAN OUT VPN OWTS-LAN-OUT-VPN
NAT static destination of SERVER Virt-IN-VPN-SERVER-Virt-IN-VPN (indoor, outdoor) static source OWTS LAN OUT VPN OWTS-LAN-OUT-VPN
!
network of the OWTS-LAN-IN object
NAT dynamic interface (indoor, outdoor)
the object SERVER-IN network
NAT (inside, outside) Shared SERVER-OUT service tcp 3389 3389
network of the CAMERA-IN-TCP object
NAT (inside, outside) static CAMERA-OFF 37777 37777 tcp service
the object SERVER-Virt-IN network
NAT (inside, outside) Shared SERVER-Virt-OUT 3390 3390 tcp service
inside1_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.2.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP
DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
Terminal registration
name of the object CN = SACTSGRO
Configure CRL
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet 192.168.2.0 255.255.255.0 inside
Telnet timeout 15
SSH 192.168.2.0 255.255.255.0 inside
SSH timeout 5
SSH version 2
SSH group dh-Group1-sha1 key exchange
Console timeout 15
dhcpd auto_config inside
!
a basic threat threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
username admin privilege 15 xxxxx encrypted password
attributes of user admin name
VPN-group-policy DfltGrpPolicy
type tunnel-group CTSGRA remote access
attributes global-tunnel-group CTSGRA
address RAVPN pool
IPSec-attributes tunnel-group CTSGRA
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:0140431e7642742a856e91246356e6a2
: end
Thanks for your help
Ok
So, basically, you set up the router so that you can directly connect to the ASA using the Cisco VPN Client. And also, the goal was ultimately only allow traffic to the LAN through the VPN Client ONLY connection.
It seems to me to realize that you have only the following configurations of NAT
VPN Client NAT0 / free of NAT / identity NAT
the object of the LAN network
Subnet 192.168.2.0 255.255.255.0
network of the VPN-POOL object
subnet 10.1.1.128 255.255.255.128
NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL
The NAT configuration above is simply to tell the ASA who don't do any type of NAT when there is traffic between the network 192.168.2.0/24 LAN and VPN 10.1.1.128/25 pool. That way if you have additional hosts on the local network that needs to be connected to, you won't have to do any form of changes to the NAT configurations for customer VPN users. You simply to allow connections in the ACL list (explained further below)
Failure to PAT
object-group network by DEFAULT-PAT-SOURCE
object-network 192.168.2.0 255.255.255.0
NAT automatic interface after (indoor, outdoor) dynamic source by DEFAULT-PAT-SOURCE
This configuration is intended just to replace the previous rule of PAT dynamic on the SAA. I guess that your router will do the translation of the ASA "outside" IP address of the interface to the public IP address of routers and this configuration should allow normal use of the Internet from the local network.
I suggest you remove all other NAT configurations, before adding these.
Control of the VPN clients access to internal resources
Also, I assume that your current VPN client is configured as full Tunnel. In other words, it will tunnel all traffic to the VPN connection, so that its assets?
To control traffic from the VPN Client users, I would suggest that you do the following
- Set up "no sysopt permit vpn connection"
- This will change the ASA operation so that connections through a VPN connection NOT allowed by default in order to bypass the ACL 'outside' interface. So, after this change, you can allow connections you need in the 'outer' interface ACL.
- Configure rules you need for connections from VPN clients to the "external" ACL interface. Although I guess they already exist as you connect there without the VPN also
I can't say this with 100% certainty, but it seems to me that the things above, you should get to the point where you can access internal resources ONLY after when you have connected to the ASA via the connection of the VPN client. Naturally take precautions like backups of configuration if you want to major configuration changes. If you manage remotely the ASA then you also also have the ability to configure a timer on the SAA, whereupon it recharges automatically. This could help in situations where a missconfiguration breaks you management connection and you don't have another way to connect remotely. Then the ASA would simply restart after that timer missed and also restart with the original configuration (as long as you did not record anything between the two)
Why you use a different port for the other devices RDP connection? I can understand it if its use through the Internet, but if the RDP connection would be used by the VPN Client only so I don't think that it is not necessary to manipulate the default port 3389 on the server or on the SAA.
Also of course if there is something on the side of real server preventing these connections then these configuration changes may not help at all.
Let me know if I understood something wrong
-Jouni
- Set up "no sysopt permit vpn connection"
-
Passed the port, conflict with VPN
Hello
I have a WEB SERVER, I want to share, this bellows port forwarding work well:
I mean by that:
The WEB SERVER is 192.168.10.10 on the local network and on the WEB, it's 81.83.XX. YY:8095
When I try that it works with VPN ON or OFF.
If I make a VPN TUNNEL, the link above and still work, but I can't see it in its original address: 192.168.10.10
Here below a small part of the original manuscript and half of the solution:
IP nat inside source static tcp 192.168.10.68 5800 interface FastEthernet0/0 5800
overload of IP nat inside source list 170 interface FastEthernet0/0
IP nat inside source static tcp 192.168.10.10 80 interface FastEthernet0/0 8095
IP nat inside source static tcp 192.168.10.68 5900 interface FastEthernet0/0 5900
overload of IP nat inside source list interface FastEthernet0/0.245 NAT1
!
access-list 150 permit ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 170 permit ip 192.168.10.0 0.0.0.255 any
SOLUTION:With this I can access my server VIA VPN, but because of that I removed the forwarded port, the 81.83.XX. YY:8095 no longer works.No idea if I can do something in an ACL?IP nat inside source static tcp 192.168.10.68 5800 interface FastEthernet0/0 5800overload of IP nat inside source list 170 interface FastEthernet0/0IP nat inside source static tcp 192.168.10.10 80 interface FastEthernet0/0 8095IP nat inside source static tcp 192.168.10.68 5900 interface FastEthernet0/0 5900overload of IP nat inside source list interface FastEthernet0/0.245 NAT1!access-list 150 permit ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255access-list 170 permit ip 192.168.10.0 0.0.0.255 anyBest regardsDidierDidier,
I'm sorry for the delay!
I'll try to help you with this issue until he gets is resolved :-)
Now... Certainly, I think that the best solution is to have a static IP address so that we can fill with a roadmap, which is an option?
Federico.
-
[WRVS4400N] RADIUS with VPN?
Hello
I have an Active Directory with RADIUS server and I intend to buy a wireless router with VPN functionality,
I took a glance at the WRVS4400N documentation and I saw the use of RADIUS with 802. 1 X and wireless, but nothing about its use with VPN...
It is therefore possible to use RADIUS for authentication on the VPN?
Thank you
Hi Mathieu chick and welcome in the community at the homepage of Cisco!
The WRVS440N is managed by the Cisco Small Business Support Community.
For discussions about this product, go here.
-
Looking for Wireless-N Gigabit Router with VPN
Hi all
I recently bought the WRT310N Wireless - N Gigabit Router and I'm in love! I've updated from an old Netgear router, so now I'm enjoying performance gigabit.
After buying my SIN, I now use VPN to connect to my NAS when I'm remote. I started to look at installing openVPN on my NAS, but it seemed complicated and buggy, so who's got when I read that a large number of routers today include built-in VPN features.
I searched but did not find any Wireless-N Gigabit router that also included the VPN features. I found 10/100 routers with VPN, but not Gigabit Wireless-N.
Linksys Wireless - N Gigabit routers with VPN integrated? If Yes, can you tell me what model should I buy?
In summary, I like to keep my Wireless-N Gigabit performance and (hopefullly!) the use of the VPN on the Linksys router so that I don't have to worry about the complex and buggy software VPN installs on my NAS. How can I do this?
Thank you!
As far as I know model onlyh 1 that is suited to your requirement is WRVS4400N. Its a Wireless Gigabit router.
-
Problems with my 4 port Gigabit Security Router with VPN
OK, I got a wireless router and I have a Web site hosted by 1and1.com and I could connect my fine site. But recently I got the 4 port Gigabit Security Router with VPN and since then I have not been able to connect to it even, I started my own ftp server it always blocks and it will capture everything until she tries to recover the files, then it expires just after a while
What is the model number of your device? If you have a Web server and an FTP server behind the router, you will need to transfer the ports used by the said request. Ports TCP 80 and TCP 21.
-
C6280, win7 cannot print via active network with VPN
Hi, I have 2 PCs, one Vista, one on Win7. With Vista, I can print over the network.
Also, via USB on the win7 PC I can print.
But I can't print via active on the Win7 with VPN network. Without VPN, it works.
I had several problems with the installation of the SW. Finally it worked (I think I had to turn my VPN connection)
It recognizes the printer, the State says: ready, but when I print, I get an error after a while.
When I stop the VPN, I can print.
I tried to load the patch for Win 7 (recommended on HP circuit (printer disappears), but what it says that I don't have the SW right?)
any idea?
Hi ReneH,
I am pleased to hear that the problem has been resolved. Have a wonderful day.
-
3 RVS 4000 with VPN connection
Hello
I want to connect in a triangle 3 RVS 4000 router with VPN
I configured 3 routers, which can connect to the Internet. Each of them are configured as the gateway.
I created 2 tunnels on each router. But the vpn connection cannot be established.
Here is the configuration of ROUTER1 another are configured in the same way, only the remote group configuration is different
What I also open some ports for VPN, if yes which and were
Thanks fpr your help and your response
HP. Meyer
Hi hanspetermeyer,
Thank you for posting. You don't need to open all the ports for VPN. I noticed that your screenshot shows two routers have a common LAN subnet of 192.168.100.x. You will need a different local subnet for each router:
- 1 router: 192.168.1.1
- Router 2: 192.168.2.1
- Router 3: 192.168.3.1
I think that you will find the tunnels only connect once you change the LAN IP of the routers so that they are on different subnets. Please let us know if it works.
-
Now,.
I want nat by looking at the destination address.
example if destination is A nat for x pool network, and if the destination is something different then nat to the pool of y.
IOS supports natting with ACLs and road maps.
but as stated in the order reference specifying acl is valid only for the nat 0.
So how can I nat based on destination address.
is it possible with pix?
If so, how?
Thanks in advance
You can not do conditional NAT based on destination on the Pix address. The only way to achieve this would be to have several interfaces with itineraries that would send traffic for each interface, NAT them as appropriate.
Maybe you are looking for
-
Update the Bios HSA broken my laptop
I have a first generation Envy 14, number of product VX778AV, bought in July 2010. I'm runniong Windows 7/64. Night final HP Support Assistant advised me an update of the bios, I applied through HSAS. Once the installation started an error window app
-
should I click on acer updates for my aspire V5 - 571P that has been upgraded to windows 10
My LP is 3 years old and has been upgraded to windows 10 of its former format windows 8.1. Recently I was invited to Download Acer upgrades for my PC. I have not received updates from acer in a while. I've updated a few weeks ago, but could not find
-
How do I correct an empty office and does like?
I have windows for my Mac computer and I tried to download a program on it when my entire office deleted. I rebooted it again and again, but my office is white each time. There is no bar/start menu and it does not meet all my double clicks and my key
-
After you download iTunes on my Dell PC with Windows 7 the message on my title box apper when click the iTune icon.
-
[JS SUI] How set enter key in listbox?
var w = new Window ("dialog"); var myList = w.add ("listbox", undefined, ["one", "two", "three"]); myList.addEventListener ("keydown", function (kd) {pressed (kd)}); function pressed (k) { if(k.keyName == "Enter") { var idx = myList.s