NAT with VPN

Hello friends

I m noob with firewall and I create a VPN site-to-site with a customer with the tracking information:

My site:

10.204.x.x/24

10.69.0.0/24

others

Customer site:

172.30.20.0/24

But my site 10.69.0.0 network is an internal network of the client, that they asked me to do a NAT when the network 10.69.0.0 will 172.30.20.0 them must go out with the IP 172.30.100.0.

Anyone know what can make it work configurations?

Thank you

Marcio,

You can use a political static NAT:

network of the LAN object - 10.69.0.0

subnet 10.69.0.0 255.255.x.x

network object obj - 172.30.100.0_nat

172.30.100.0 subnet 255.255.255.0

network object obj - 172.30.20.0

172.30.20.0 subnet 255.255.255.0

NAT (inside, outside) source static LAN - 10.69.0.0 obj - 172.30.100.0_nat destination static obj - 172.30.20.0 obj - 172.30.20.0

-JP-

Tags: Cisco Security

Similar Questions

Static NAT with the road map for excluding the VPN

We have problems of access to certain IPs NATted static via a VPN. After some research, we have learned that you have to exclude traffic destined for the VPN to the static NAT using a road map. So we did this:

10.1.1.x is the VPN IP pool.

access-list 130 refuse ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 allow ip 192.168.1.0 0.0.0.255 any

sheep allowed 10 route map
corresponds to the IP 130

IP nat inside source static 192.168.1.5 1.1.1.1 sheep map route

Above worked to fix the VPN but the IP 192.168.1.5 is no longer publicly available via 1.1.1.1. What seems to happen, is that the static NAT is not really work and this IP address is NATted with the IP of PAT.

Any ideas on how to get this to work?

Thank you
Diego

Hello

The following example details exactly your case:

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml

Try to replace the 192.168.1.0 subnet by the host address.

It should work

HTH

Laurent.

IOS - help with VPN IPsec L2L with NAT

Hello guys

I tried to get VPN to work for a specific scenario where I do NAT for VPN traffic to avoid the duplication of subnet.

I found several guides on cisco.com, but all the ones I found does not (or how) overload NAT (for internet traffic), I need for my setup.

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800b07ed.shtml

http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

Basically, I need to know how the configuration looks like when make you static NAT in a VPN tunnel as well as provide internet connectivity using NAT in the same router?

I have attached a drawing that needs to better explain my needs.

Someone knows a guide that shows how to do this?

Best regards

Jesper

You can use a static policy NAT NAT the traffic:

access-list 101 permit ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255

access-list 102 deny ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

policy-NAT allowed 10 route map

corresponds to the IP 101

internet-NAT allowed 10 route map

corresponds to the IP 102

IP nat inside source static network 10.0.0.0 road policy-NAT 10.30.10.0/24-feuille

IP nat inside source map route internet-NAT interface overloading

Hope that helps.

Making the NAT for VPN through L2L tunnel clients

Hi.I has the following situation in my network. We need for users who log on our site with the VPN clients to connect to another site via a tunnel L2L. The problem is that I need NAT addresses from the pool of VPN client in another beach before going on the L2L tunnel because on the other side, we have duplication of networks.

I tried to do NAT with little success as follows:

ACL for pool NAT of VPN:

Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.0.0 255.255.255.0

Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.5.0 255.255.255.0

NAT:

Global 172.20.105.1 - 172.20.105.254 15 (outdoor)

NAT (inside) 15 TEST access-list

CRYPTO ACL:

allowed ro access list extended LAN ip 255.255.0.0 192.168.0.0 255.255.255.0

allowed ro access list extended LAN ip 255.255.0.0 192.168.5.0 255.255.255.0

IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.0.0 255.255.255.0

IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.5.0 255.255.255.0

permit same-security-traffic intra-interface

Am I missing something here? Something like this is possible at all?

Thanks in advance for any help.

We use the ASA 5510 with software version 8.0 (3) 6.

You need nat to the outside, not the inside.

NAT (outside) 15 TEST access-list

Policy NAT for VPN L2L

Summary:

We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.

My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.

Here is the config:

# #List of OUR guests

the OURHosts object-group network

network-host 192.168.x.y object

# Hosts PARTNER #List

the PARTNERHosts object-group network

network-host 10.2.a.b object

###ACL for NAT

# Many - to - many outgoing

access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts

# One - to - many incoming

VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group

# #NAT

NAT (INSIDE) 2-list of access NAT2

NAT (OUTSIDE) 2 172.20.n.0

NAT (INSIDE) 3 access-list VIH3

NAT (OUTSIDE) 3 172.20.n.1

# #ACL for VPN

access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group

access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list

# #Tunnel

tunnel-group type ipsec-l2l

card <#>crypto is the VPN address

card crypto <#>the value transform-set VPN

card <#>crypto defined peer

I realize that the ACL for the VPN should read:

access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list

access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list

.. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.

What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?

Thanks in advance.

Patrick

Here is the order of operations for NAT on the firewall:

1 nat 0-list of access (free from nat)

2. match the existing xlates

3. match the static controls

a. static NAT with no access list

b. static PAT with no access list

4. match orders nat

a. nat [id] access-list (first match)

b. nat [id] [address] [mask] (best match)

i. If the ID is 0, create an xlate identity

II. use global pool for dynamic NAT

III. use global dynamic pool for PAT

If you can try

(1) a static NAT with an access list that will have priority on instruction of dynamic NAT

(2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.

I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.

Jon

Problem with "vpn sysopt connection permit.

Hi all

I would like to ask you for advice with "vpn sysopt connection permit". I have a problem with by-pass-access list (acl) in the INSIDE interface. As I understand it and I'm going to use this command, there is no need to especialy allow traffic in the access list for the INSIDE and I can control the filter-vpn traffic. But in my case it's quite the opposite, I want particularly to this INTERIOR acl traffi. When I allow this traffic inside acl L2L tunnel rises, hollow traffic flow vpn-fltr ane acl that everything is OK. But when I do not allow that this traffic is inside of the rule with Deny statement in acl INSIDE block traffic and tunnel goes ever upward. Part of the configuraciton which you can view below.

Please let me know if I'm wrong, or what I did wrong?

Thank you

Karel

PHA-FW01 # view worm | Worm Inc

Cisco Adaptive Security Appliance Software Version 4,0000 1

PHA-FW01 # display ru all sys

No timewait sysopt connection

Sysopt connection tcpmss 1380

Sysopt connection tcpmss minimum 0

Sysopt connection permit VPN

Sysopt connection VPN-reclassify

No sysopt preserve-vpn-stream connection

no RADIUS secret ignore sysopt

No inside sysopt noproxyarp

No EXT-VLAN20 sysopt noproxyarp

No EXT-WIFI-VLAN30 sysopt noproxyarp

No OUTSIDE sysopt noproxyarp

PHA-FW01 # display the id of the object-group ALGOTECH

object-group network ALGOTECH

object-network 10.10.22.0 255.255.255.0

host of the object-Network 172.16.15.11

PHA-FW01 # show running-config id of the object VLAN20

network of the VLAN20 object

subnet 10.1.2.0 255.255.255.0

L2L_to_ALGOTECH list extended access permitted ip object object-group VLAN20 ALGOTECH

extended access list ACL-ALGOTECH allow ip object-group object VLAN20 ALGOTECH

Note EXT-VLAN20 of access list =.

access list EXT-VLAN20 allowed extended ip object VLAN20 ALGOTECH #why object-group must be the rule here?

access list EXT-VLAN20 extended permitted udp object VLAN20 object-group OUT-DNS-SERVERS eq field

EXT-VLAN20 allowed extended VLAN20 object VPN-USERS ip access list

EXT-VLAN20 extended access list permit ip object VLAN20 OPENVPN-SASPO object-group

EXT-VLAN20 allowed extended object VLAN10 VLAN20 ip access list

deny access list extended VLAN20 EXT ip no matter what LOCAL NETS of object-group paper

EXT-VLAN20 allowed extended icmp access list no echo

access list EXT-VLAN20 allowed extended object-group SERVICE VLAN20 object VLAN20 everything

EXT-VLAN20 extended access list deny ip any any newspaper

extended access list ACL-ALGOTECH allow ip object-group object VLAN20 ALGOTECH

GROUP_POLICY-91 group policy. X 41. X.12 internal

GROUP_POLICY-91 group policy. X 41. X.12 attributes

value of VPN-filter ACL-ALGOTECH

Ikev1 VPN-tunnel-Protocol

tunnel-group 91.X41. X.12 type ipsec-l2l

tunnel-group 91.X41. X.12 General attributes

Group Policy - by default-GROUP_POLICY-91. X 41. X.12

tunnel-group 91.X41. X.12 ipsec-attributes

IKEv1 pre-shared-key *.

PHA-FW01 # show running-config nat

NAT (EXT-VLAN20, outdoors) static source VLAN20 VLAN20 static destination ALGOTECH ALGOTECH non-proxy-arp-search to itinerary

network of the VLAN20 object

dynamic NAT interface (EXT-VLAN20, outdoors)

group-access to the INTERIOR in the interface inside

Access-group interface VLAN20 EXT EXT-VLAN20

Hello

The command "sysopt connection permit-vpn" is the default setting and it applies only to bypass ACL interface to the interface that ends the VPN. It would be connected to the external network interface. This custom has no effect on the other interfaces ACL interface.

So if you initiate or need to open connections from your local network to remote network through the VPN L2L connection then you will need to allow this traffic on your LAN interface ACL networks.

If the situation was that only the remote end has launched connections to your network then 'sysopt permit vpn connection' would allow their connections around the external interfaces ACL. If If you have a VPN configured ACL filter, I think that the traffic will always accompany against this ACL.

Here are the ASA reference section to order custom "sysopt"

http://www.Cisco.com/en/us/docs/security/ASA/command-reference/S21.html#wp1567918

-Jouni

Problem with VPN

I have two problems with IPSEC VPN, using the cisco client, and a third, which I think could answer here if this isn't strictly associated with VPN.

1. cannot access the internet, while VPN is in place. This can be a problem of client as I * think * I've split tunneling to install correctly.

2. cannot access other networks except the network associated with the inside interface natively.

3. I can not ping to the internet from inside, be it on the VPN or not.

I tend to use the SMDA; Please, if possible, keep the answer to this kindof of entry.

Here is the config:

Output of the command: "sh run".

: Saved

:

ASA Version 8.4 (1)

!

hostname BVGW

domain blueVector.com

activate qWxO.XjLGf3hYkQ1 encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Ethernet0/0

nameif outside

security-level 10

IP 5.29.79.10 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

IP 172.17.1.2 255.255.255.0

!

interface Ethernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 100

IP 172.19.1.1 255.255.255.0

management only

!

passive FTP mode

DNS server-group DefaultDNS

domain blueVector.com

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

the subject of WiFi network

172.17.100.0 subnet 255.255.255.0

WiFi description

the object to the Interior-net network

172.17.1.0 subnet 255.255.255.0

network of the NOSPAM object

Home 172.17.1.60

network of the BH2 object

Home 172.17.1.60

the EX2 object network

Home 172.17.1.61

Description internal Exchange / SMTP outgoing

the Mail2 object network

Home 5.29.79.11

Description Ext EX2

network of the NETWORK_OBJ_172.17.1.240_28 object

subnet 172.17.1.240 255.255.255.240

network of the NETWORK_OBJ_172.17.200.0_24 object

172.17.200.0 subnet 255.255.255.0

DM_INLINE_TCP_1 tcp service object-group

port-object eq www

EQ object of the https port

the DM_INLINE_NETWORK_1 object-group network

network-object BH2

network-object NOSPAM

Outside_access_in list extended access permit tcp any eq smtp DM_INLINE_NETWORK_1 object-group

Outside_access_in list extended access permit tcp any object object-group DM_INLINE_TCP_1 BH2

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

management of MTU 1500

mask pool local 172.17.1.240 - 172.17.1.250 VPN IP 255.255.255.0

mask pool local 172.17.200.100 - 172.17.200.200 VPN2 IP 255.255.255.0

no failover

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

NAT (inside, outside) static source EX2 Mail2

NAT (inside, outside) static source all all NETWORK_OBJ_172.17.1.240_28 of NETWORK_OBJ_172.17.1.240_28 static destination

NAT (inside, outside) static source all all NETWORK_OBJ_172.17.200.0_24 of NETWORK_OBJ_172.17.200.0_24 static destination

NAT (inside, outside) static source to the Interior-NET Interior-net destination static NETWORK_OBJ_172.17.1.240_28 NETWORK_OBJ_172.17.1.240_28

!

the object to the Interior-net network

NAT (inside, outside) dynamic interface

network of the NOSPAM object

NAT (inside, outside) static 5.29.79.12

Access-group Outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 5.29.79.9 1

Route inside 10.2.0.0 255.255.255.0 172.17.1.1 1

Route inside 10.3.0.0 255.255.255.128 172.17.1.1 1

Route inside 10.10.10.0 255.255.255.0 172.17.1.1 1

Route inside 172.17.100.0 255.255.255.0 172.17.1.3 1

Route inside 172.18.1.0 255.255.255.0 172.17.1.1 1

Route inside 192.168.1.0 255.255.255.0 172.17.1.1 1

Route inside 192.168.11.0 255.255.255.0 172.17.1.1 1

Route inside 192.168.30.0 255.255.255.0 172.17.1.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

AAA-server blueVec protocol ldap

blueVec AAA-server (inside) host 172.17.1.41

LDAP-base-dn DC = adrs1, DC = net

LDAP-group-base-dn DC = EIM, DC = net

LDAP-scope subtree

LDAP-naming-attribute sAMAccountName

LDAP-login-password *.

LDAP-connection-dn CN = Hanna\, Roger, OU = human, or = WPLAdministrator, DC = adrs1, DC = net

microsoft server type

Enable http server

http 192.168.1.0 255.255.255.0 management

http 172.17.1.0 255.255.255.0 inside

http 24.32.208.223 255.255.255.255 outside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

Outside_map interface card crypto outside

Crypto ikev1 allow outside

IKEv1 crypto policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 30

authentication crack

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH 172.17.1.0 255.255.255.0 inside

SSH timeout 5

Console timeout 0

dhcpd address 172.17.1.100 - 172.17.1.200 inside

dhcpd 4.2.2.2 dns 8.8.8.8 interface inside

dhcpd lease interface 100000 inside

dhcpd adrs1.net area inside interface

!

a basic threat threat detection

threat detection statistics

a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

WebVPN

internal blueV group policy

attributes of the strategy of group blueV

value of server WINS 172.17.1.41

value of 172.17.1.41 DNS server 172.17.1.42

Ikev1 VPN-tunnel-Protocol

value by default-field ADRS1.NET

internal blueV_1 group policy

attributes of the strategy of group blueV_1

value of server WINS 172.17.1.41

value of 172.17.1.41 DNS server 172.17.1.42

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

adrs1.NET value by default-field

username gwhitten encrypted password privilege 0 8fLfC1TTV35zytjA

username gwhitten attributes

VPN-group-policy blueV

rparker encrypted FnbvAdOZxk4r40E5 privilege 15 password username

attributes of username rparker

VPN-group-policy blueV

username mhale encrypted password privilege 0 2reWKpsLC5em3o1P

username mhale attributes

VPN-group-policy blueV

VpnUser2 SlHbkDWqPQLgylxJ encrypted privilege 0 username password

username VpnUser2 attributes

VPN-group-policy blueV

Vpnuser3 R6zHxBM9chjqBPHl encrypted privilege 0 username password

username Vpnuser3 attributes

VPN-group-policy blueV

username VpnUser1 encrypted password privilege 0 mLHXwxsjJEIziFgb

username VpnUser1 attributes

VPN-group-policy blueV

username dcoletto encrypted password privilege 0 g53yRiEqpcYkSyYS

username dcoletto attributes

VPN-group-policy blueV

username, password jmcleod aSV6RHsq7Wn/YJ7X encrypted privilege 0

username jmcleod attributes

VPN-group-policy blueV

rhanna encrypted Pd3E3vqnGmV84Ds2 privilege 15 password username

rhanna attributes username

VPN-group-policy blueV

username rheimann encrypted password privilege 0 tHH5ZYDXJ0qKyxnk

username rheimann attributes

VPN-group-policy blueV

username jwoosley encrypted password privilege 0 yBOc8ubzzbeBXmuo

username jwoosley attributes

VPN-group-policy blueV

2DBQVSUbfTBuxC8u encrypted password privilege 0 kdavis username

kdavis username attributes

VPN-group-policy blueV

username mbell encrypted password privilege 0 adskOOsnVPnw6eJD

username mbell attributes

VPN-group-policy blueV

bmiller dpqK9cKk50J7TuPN encrypted password privilege 0 username

bmiller username attributes

VPN-group-policy blueV

type tunnel-group blueV remote access

tunnel-group blueV General-attributes

address VPN2 pool

authentication-server-group blueVec

Group Policy - by default-blueV_1

blueV group of tunnel ipsec-attributes

IKEv1 pre-shablue-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

HPM topN enable

Cryptochecksum:2491a825fb8a81439a6c80288f33818e

: end

Any help is appreciated!

-Roger

Hey,.

Unfortunately, I do not use ASDM myself but will always mention things that could be done.

You do not split tunneling. All traffic either tunnel to the ASA, while VPN is active

You have the following line under the "group policy"

Split-tunnel-policy tunnelspecified

You will also need this line

Split-tunnel-network-list value

Defines the destination for the VPN Client networks. If you go in on the side of the ASDM group policy settings, you should see that no ACL is selected. You don't really seem to have an ACL in the configuration above, for the split tunneling?

To activate access Internet via the VPN Client now in the current configuration, I would say the following configuration of NAT

VPN-CLIENT-PAT-SOURCE network object-group

object-network 172.17.200.0 255.255.255.0

NAT (outside, outdoor) automatic interface after dynamic source VPN-CLIENT-PAT-SOURCE

In regards to the traffic does not for other networks, I'm not really sure. I guess they aren't hitting the rule NAT that are configured. I think they should, but I guess they aren't because its does not work

I could myself try the following configuration of NAT

object-group, network LAN-NETWORKS

object-network 10.2.0.0 255.255.255.0

object-network 10.3.0.0 255.255.255.128

object-network 10.10.10.0 255.255.255.0

object-network 172.17.100.0 255.255.255.0

object-network 172.18.1.0 255.255.255.0

object-network 192.168.1.0 255.255.255.0

object-network 192.168.11.0 255.255.255.0

object-network 192.168.30.0 255.255.255.0

object-group, network VPN-POOL

object-network 172.17.200.0 255.255.255.0

NAT (inside, outside) static static source of destination LAN-LAN-NETWORK VPN-VPN-POOL

Add ICMP ICMP Inspection

Policy-map global_policy

class inspection_default

inspect the icmp

or alternatively

fixup protocol icmp

This will allow automatically response to ICMP echo messages pass through the firewall. I assume that they are is blocked by the firewall now since you did not previously enable ICMP Inspection.

-Jouni

Difficulty accessing 1 remote desktop when connected with VPN

Hello world

I have an ASA 5505 and have a problem where when I connect via VPN, I can RDP into a server using its internal address but I can't RDP to another server using its internal address.

One that I can connect to a an IP of 192.168.2.10 and I can't connect to a a 192.168.2.11 on 3390 port IP address.

The two rules are configured exactly the same except for the IP addresses and I can't see why I can't connect to this server.

I am also able to connect to my camera system with an IP on port 37777 192.168.2.25 and able to ping any other device on the network internal.

I also tried ping he and Telnet to port 3390 without success.

Here is the config.

ASA 4,0000 Version 1

!

!

interface Ethernet0/0

switchport access vlan 3

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan2

nameif inside

security-level 100

IP 192.168.2.2 255.255.255.0

!

interface Vlan3

nameif outside

security-level 0

10.1.1.1 IP address 255.255.255.0

!

passive FTP mode

clock timezone IS - 5

clock to summer time EDT recurring

network obj_any object

subnet 0.0.0.0 0.0.0.0

network of the OWTS-LAN-OUT object

10.1.1.10 range 10.1.1.49

network of the OWTS-LAN-IN object

Subnet 192.168.2.0 255.255.255.0

service of the RDP3389 object

service destination tcp 3389 eq

Description of DC

the object SERVER-IN network

host 192.168.2.10

network of the SERVER-OUT object

Home 10.1.1.50

network of the CAMERA-IN-TCP object

Home 192.168.2.25

network of the CAMERA-OUT object

Home 10.1.1.51

service object CAMERA-TCP

Service tcp destination eq 37777

the object SERVER-Virt-IN network

Home 192.168.2.11

network of the SERVER-Virt-OUT object

Home 10.1.1.52

service of the RDP3390 object

Service tcp destination eq 3390

Description of VS for Master

network of the CAMERA-IN-UDP object

Home 192.168.2.25

service object CAMERA-UDP

Service udp destination eq 37778

the object OWTS LAN OUT VPN network

subnet 10.1.1.128 255.255.255.128

the object SERVER-Virt-IN-VPN network

Home 192.168.2.11

the object SERVER-IN-VPN network

host 192.168.2.10

the object CAMERA-IN-VPN network

Home 192.168.2.25

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

AnyConnect_Client_Local_Print deny ip extended access list a whole

AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd

Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631

print the access-list AnyConnect_Client_Local_Print Note Windows port

AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353

AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355

Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137

AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns

implicit rule of access-list inside1_access_in Note: allow all traffic to less secure networks

inside1_access_in of access allowed any ip an extended list

outside_access_in list extended access allowed object RDP3389 any host 192.168.2.10

outside_access_in list extended access allowed object RDP3390 any host 192.168.2.11

outside_access_in list extended access allowed object CAMERA TCP any host 192.168.2.25

outside_access_in list extended access allowed object CAMERA UDP any host 192.168.2.25

pager lines 24

Enable logging

exploitation forest-size of the buffer 10240

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

local pool RAVPN 10.1.1.129 - 10.1.1.254 255.255.255.128 IP mask

no failover

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

NAT static destination SERVER-IN-VPN SERVER-IN-VPN (indoor, outdoor) static source OWTS LAN OUT VPN OWTS-LAN-OUT-VPN

NAT static destination of CAMERA-IN-VPN VPN-IN-CAMERA (indoor, outdoor) static source OWTS LAN OUT VPN OWTS-LAN-OUT-VPN

NAT static destination of SERVER Virt-IN-VPN-SERVER-Virt-IN-VPN (indoor, outdoor) static source OWTS LAN OUT VPN OWTS-LAN-OUT-VPN

!

network of the OWTS-LAN-IN object

NAT dynamic interface (indoor, outdoor)

the object SERVER-IN network

NAT (inside, outside) Shared SERVER-OUT service tcp 3389 3389

network of the CAMERA-IN-TCP object

NAT (inside, outside) static CAMERA-OFF 37777 37777 tcp service

the object SERVER-Virt-IN network

NAT (inside, outside) Shared SERVER-Virt-OUT 3390 3390 tcp service

inside1_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 10.1.1.2 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 192.168.2.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP

DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

Crypto ca trustpoint ASDM_TrustPoint0

Terminal registration

name of the object CN = SACTSGRO

Configure CRL

Crypto ikev1 allow outside

IKEv1 crypto policy 10

authentication crack

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 20

authentication rsa - sig

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 30

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 40

authentication crack

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 50

authentication rsa - sig

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 60

preshared authentication

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 70

authentication crack

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 80

authentication rsa - sig

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 100

authentication crack

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 110

authentication rsa - sig

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 120

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 130

authentication crack

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 140

authentication rsa - sig

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 150

preshared authentication

the Encryption

sha hash

Group 2

life 86400

Telnet 192.168.2.0 255.255.255.0 inside

Telnet timeout 15

SSH 192.168.2.0 255.255.255.0 inside

SSH timeout 5

SSH version 2

SSH group dh-Group1-sha1 key exchange

Console timeout 15

dhcpd auto_config inside

!

a basic threat threat detection

statistical threat detection port

Statistical threat detection Protocol

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

username admin privilege 15 xxxxx encrypted password

attributes of user admin name

VPN-group-policy DfltGrpPolicy

type tunnel-group CTSGRA remote access

attributes global-tunnel-group CTSGRA

address RAVPN pool

IPSec-attributes tunnel-group CTSGRA

IKEv1 pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

Policy-map global_policy

class inspection_default

inspect the icmp

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:0140431e7642742a856e91246356e6a2

: end

Thanks for your help

Ok

So, basically, you set up the router so that you can directly connect to the ASA using the Cisco VPN Client. And also, the goal was ultimately only allow traffic to the LAN through the VPN Client ONLY connection.

It seems to me to realize that you have only the following configurations of NAT

VPN Client NAT0 / free of NAT / identity NAT

the object of the LAN network

Subnet 192.168.2.0 255.255.255.0

network of the VPN-POOL object

subnet 10.1.1.128 255.255.255.128

NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL

The NAT configuration above is simply to tell the ASA who don't do any type of NAT when there is traffic between the network 192.168.2.0/24 LAN and VPN 10.1.1.128/25 pool. That way if you have additional hosts on the local network that needs to be connected to, you won't have to do any form of changes to the NAT configurations for customer VPN users. You simply to allow connections in the ACL list (explained further below)

Failure to PAT

object-group network by DEFAULT-PAT-SOURCE

object-network 192.168.2.0 255.255.255.0

NAT automatic interface after (indoor, outdoor) dynamic source by DEFAULT-PAT-SOURCE

This configuration is intended just to replace the previous rule of PAT dynamic on the SAA. I guess that your router will do the translation of the ASA "outside" IP address of the interface to the public IP address of routers and this configuration should allow normal use of the Internet from the local network.

I suggest you remove all other NAT configurations, before adding these.

Control of the VPN clients access to internal resources

Also, I assume that your current VPN client is configured as full Tunnel. In other words, it will tunnel all traffic to the VPN connection, so that its assets?

To control traffic from the VPN Client users, I would suggest that you do the following
- Set up "no sysopt permit vpn connection"
  - This will change the ASA operation so that connections through a VPN connection NOT allowed by default in order to bypass the ACL 'outside' interface. So, after this change, you can allow connections you need in the 'outer' interface ACL.
- Configure rules you need for connections from VPN clients to the "external" ACL interface. Although I guess they already exist as you connect there without the VPN also
I can't say this with 100% certainty, but it seems to me that the things above, you should get to the point where you can access internal resources ONLY after when you have connected to the ASA via the connection of the VPN client. Naturally take precautions like backups of configuration if you want to major configuration changes. If you manage remotely the ASA then you also also have the ability to configure a timer on the SAA, whereupon it recharges automatically. This could help in situations where a missconfiguration breaks you management connection and you don't have another way to connect remotely. Then the ASA would simply restart after that timer missed and also restart with the original configuration (as long as you did not record anything between the two)

Why you use a different port for the other devices RDP connection? I can understand it if its use through the Internet, but if the RDP connection would be used by the VPN Client only so I don't think that it is not necessary to manipulate the default port 3389 on the server or on the SAA.

Also of course if there is something on the side of real server preventing these connections then these configuration changes may not help at all.

Let me know if I understood something wrong

-Jouni

Passed the port, conflict with VPN

Hello

I have a WEB SERVER, I want to share, this bellows port forwarding work well:

I mean by that:

The WEB SERVER is 192.168.10.10 on the local network and on the WEB, it's 81.83.XX. YY:8095

When I try that it works with VPN ON or OFF.

If I make a VPN TUNNEL, the link above and still work, but I can't see it in its original address: 192.168.10.10

Here below a small part of the original manuscript and half of the solution:

IP nat inside source static tcp 192.168.10.68 5800 interface FastEthernet0/0 5800

overload of IP nat inside source list 170 interface FastEthernet0/0

IP nat inside source static tcp 192.168.10.10 80 interface FastEthernet0/0 8095

IP nat inside source static tcp 192.168.10.68 5900 interface FastEthernet0/0 5900

overload of IP nat inside source list interface FastEthernet0/0.245 NAT1

!

access-list 150 permit ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 170 permit ip 192.168.10.0 0.0.0.255 any

SOLUTION:

With this I can access my server VIA VPN, but because of that I removed the forwarded port, the 81.83.XX. YY:8095 no longer works.

No idea if I can do something in an ACL?

IP nat inside source static tcp 192.168.10.68 5800 interface FastEthernet0/0 5800

overload of IP nat inside source list 170 interface FastEthernet0/0

IP nat inside source static tcp 192.168.10.10 80 interface FastEthernet0/0 8095

IP nat inside source static tcp 192.168.10.68 5900 interface FastEthernet0/0 5900

overload of IP nat inside source list interface FastEthernet0/0.245 NAT1

!

access-list 150 permit ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 170 permit ip 192.168.10.0 0.0.0.255 any

Best regards

Didier

Didier,

I'm sorry for the delay!

I'll try to help you with this issue until he gets is resolved :-)

Now... Certainly, I think that the best solution is to have a static IP address so that we can fill with a roadmap, which is an option?

Federico.

[WRVS4400N] RADIUS with VPN?

Hello

I have an Active Directory with RADIUS server and I intend to buy a wireless router with VPN functionality,

I took a glance at the WRVS4400N documentation and I saw the use of RADIUS with 802. 1 X and wireless, but nothing about its use with VPN...

It is therefore possible to use RADIUS for authentication on the VPN?

Thank you

Hi Mathieu chick and welcome in the community at the homepage of Cisco!

The WRVS440N is managed by the Cisco Small Business Support Community.

For discussions about this product, go here.

Looking for Wireless-N Gigabit Router with VPN

Hi all

I recently bought the WRT310N Wireless - N Gigabit Router and I'm in love! I've updated from an old Netgear router, so now I'm enjoying performance gigabit.

After buying my SIN, I now use VPN to connect to my NAS when I'm remote. I started to look at installing openVPN on my NAS, but it seemed complicated and buggy, so who's got when I read that a large number of routers today include built-in VPN features.

I searched but did not find any Wireless-N Gigabit router that also included the VPN features. I found 10/100 routers with VPN, but not Gigabit Wireless-N.

Linksys Wireless - N Gigabit routers with VPN integrated? If Yes, can you tell me what model should I buy?

In summary, I like to keep my Wireless-N Gigabit performance and (hopefullly!) the use of the VPN on the Linksys router so that I don't have to worry about the complex and buggy software VPN installs on my NAS. How can I do this?

Thank you!

As far as I know model onlyh 1 that is suited to your requirement is WRVS4400N. Its a Wireless Gigabit router.

Problems with my 4 port Gigabit Security Router with VPN

OK, I got a wireless router and I have a Web site hosted by 1and1.com and I could connect my fine site. But recently I got the 4 port Gigabit Security Router with VPN and since then I have not been able to connect to it even, I started my own ftp server it always blocks and it will capture everything until she tries to recover the files, then it expires just after a while

What is the model number of your device? If you have a Web server and an FTP server behind the router, you will need to transfer the ports used by the said request. Ports TCP 80 and TCP 21.

C6280, win7 cannot print via active network with VPN

Hi, I have 2 PCs, one Vista, one on Win7. With Vista, I can print over the network.

Also, via USB on the win7 PC I can print.

But I can't print via active on the Win7 with VPN network. Without VPN, it works.

I had several problems with the installation of the SW. Finally it worked (I think I had to turn my VPN connection)

It recognizes the printer, the State says: ready, but when I print, I get an error after a while.

When I stop the VPN, I can print.

I tried to load the patch for Win 7 (recommended on HP circuit (printer disappears), but what it says that I don't have the SW right?)

any idea?

Hi ReneH,

I am pleased to hear that the problem has been resolved. Have a wonderful day.

3 RVS 4000 with VPN connection

Hello

I want to connect in a triangle 3 RVS 4000 router with VPN

I configured 3 routers, which can connect to the Internet. Each of them are configured as the gateway.

I created 2 tunnels on each router. But the vpn connection cannot be established.

Here is the configuration of ROUTER1 another are configured in the same way, only the remote group configuration is different

What I also open some ports for VPN, if yes which and were

Thanks fpr your help and your response

HP. Meyer

Hi hanspetermeyer,

Thank you for posting. You don't need to open all the ports for VPN. I noticed that your screenshot shows two routers have a common LAN subnet of 192.168.100.x. You will need a different local subnet for each router:
1. 1 router: 192.168.1.1
2. Router 2: 192.168.2.1
3. Router 3: 192.168.3.1
I think that you will find the tunnels only connect once you change the LAN IP of the routers so that they are on different subnets. Please let us know if it works.

NAT with access-list

Now,.

I want nat by looking at the destination address.

example if destination is A nat for x pool network, and if the destination is something different then nat to the pool of y.

IOS supports natting with ACLs and road maps.

but as stated in the order reference specifying acl is valid only for the nat 0.

So how can I nat based on destination address.

is it possible with pix?

If so, how?

Thanks in advance

You can not do conditional NAT based on destination on the Pix address. The only way to achieve this would be to have several interfaces with itineraries that would send traffic for each interface, NAT them as appropriate.

NAT with VPN

Similar Questions

Maybe you are looking for