NATting for VPN traffic only

I have a client with an ASA 5505 who has several networks, he tries to communicate via a VPN tunnel with a desktop remotely. One of the networks does not work because it is also used on the other side of the tunnel management interface, and none of both sides seem ready to re - IP their interior space.

Their proposed solution is to NAT the contradictory network on this side to a different subnet firewall before passing through the tunnel. How to implement a NAT which only uses the VPN tunnel while the rest of the traffic that comes through this device of the United-NATted Nations?

The network in question is 192.168.0.0/24. Their target you want the NAT is 172.16.0.0/24. Config of the SAA is attached.

Hello

Basically, the political dynamic configuration PAT should work to connect VPN L2L because the PAT political dynamics is processed before PAT/NAT dynamic configurations.

Only NAT configurations that can replace this dynamic NAT of the policy are

NAT0 / exempt NAT configuration
Strategy static NAT/PAT
Public static NAT/PAT

And because we have determined that the only problem is with the network 192.168.0.0/24 and since there is no static configuration NAT/PAT or static policy NAT/PAT, then PAT political dynamics should be applied. Unless some configurations NAT0 continues to cause problems.

The best way to determine what rules are hit for specific traffic is to use the command "packet - trace" on the SAA

Packet-trace entry inside tcp 192.168.0.100 12345 10.1.7.100 80

For example to simulate an HTTP connection at random on the remote site

This should tell us for example

Where the package would be sent
He would pass the ACL interface
What NAT would be applied
It would correspond to any configuration VPN L2L
and many others

Then can you take a sample output from the command mentioned twice and copy/paste the second result here. I ask get exit twice because that where the actual VPN L2L negotiations would go through the first time that this command would only raise the L2L VPN while the second command could show already all the info of what actually passed to the package simulated.

In addition, judging by the NAT format you chose (political dynamics PAT), I assume that only your site connects to the remote site? Given that the political dynamics PAT (or dynamic PAT) normal does not allow creating a two-way connection. Connections can be opened that from your site to the remote site (naturally return traffic through automatically because existing connections and translations)

-Jouni

Tags: Cisco Security

Similar Questions

Making the NAT for VPN through L2L tunnel clients

Hi.I has the following situation in my network. We need for users who log on our site with the VPN clients to connect to another site via a tunnel L2L. The problem is that I need NAT addresses from the pool of VPN client in another beach before going on the L2L tunnel because on the other side, we have duplication of networks.

I tried to do NAT with little success as follows:

ACL for pool NAT of VPN:

Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.0.0 255.255.255.0

Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.5.0 255.255.255.0

NAT:

Global 172.20.105.1 - 172.20.105.254 15 (outdoor)

NAT (inside) 15 TEST access-list

CRYPTO ACL:

allowed ro access list extended LAN ip 255.255.0.0 192.168.0.0 255.255.255.0

allowed ro access list extended LAN ip 255.255.0.0 192.168.5.0 255.255.255.0

IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.0.0 255.255.255.0

IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.5.0 255.255.255.0

permit same-security-traffic intra-interface

Am I missing something here? Something like this is possible at all?

Thanks in advance for any help.

We use the ASA 5510 with software version 8.0 (3) 6.

You need nat to the outside, not the inside.

NAT (outside) 15 TEST access-list

Capture packets for VPN traffic

Hi team,

Please help me to set the ACL and capture for remote access VPN traffic.

To see the amount of traffic flows from this IP Source address.

Source: Remote VPN IP (syringe) 10.10.10.10 access

Destination: any

That's what I've done does not

extended VPN permit tcp host 10.10.10.10 access list all

interface captures CAP_VPN VPN access to OUTSIDE gross-list data type

Hello

If you have configured capture with this access list, you filter all TCP traffic, so you will not be able to see the UDP or ICMP traffic too, I would recommend using the ACL, although only with intellectual property:

list of allowed extended VPN ip host 10.10.10.10 access everything

Capture interface outside access, VPN CAP_VPN-list

Then with:

See the capture of CAP_VPN

You will be able to see the packet capture on the SAA, you can export the capture of a sniffer of packages as follows:

https:// /capture//pcap capname--> CAP

For more details of capture you can find it on this link

Let me know if you could get the information that you were trying to achieve.

Please Don t forget to rate and score as correct the helpful post!

David Castro,

Kind regards

Policy NAT for VPN L2L

Summary:

We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.

My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.

Here is the config:

# #List of OUR guests

the OURHosts object-group network

network-host 192.168.x.y object

# Hosts PARTNER #List

the PARTNERHosts object-group network

network-host 10.2.a.b object

###ACL for NAT

# Many - to - many outgoing

access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts

# One - to - many incoming

VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group

# #NAT

NAT (INSIDE) 2-list of access NAT2

NAT (OUTSIDE) 2 172.20.n.0

NAT (INSIDE) 3 access-list VIH3

NAT (OUTSIDE) 3 172.20.n.1

# #ACL for VPN

access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group

access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list

# #Tunnel

tunnel-group type ipsec-l2l

card <#>crypto is the VPN address

card crypto <#>the value transform-set VPN

card <#>crypto defined peer

I realize that the ACL for the VPN should read:

access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list

access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list

.. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.

What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?

Thanks in advance.

Patrick

Here is the order of operations for NAT on the firewall:

1 nat 0-list of access (free from nat)

2. match the existing xlates

3. match the static controls

a. static NAT with no access list

b. static PAT with no access list

4. match orders nat

a. nat [id] access-list (first match)

b. nat [id] [address] [mask] (best match)

i. If the ID is 0, create an xlate identity

II. use global pool for dynamic NAT

III. use global dynamic pool for PAT

If you can try

(1) a static NAT with an access list that will have priority on instruction of dynamic NAT

(2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.

I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.

Jon

What is the correct way to PAT outbound on a 5540 for VPN traffic?

We lack 8.3 (2) in the ASA5540. Throughout our company, users connect to application of a business through the ASA/VPN partner. We have an address space of class b, and because users are spread in all directions, I have the entire space class b as the local object in the ACL that allows traffic through the VPN tunnel.

The business partner is worried that our entire address space is available to access the VPN tunnel. So I thought, to help the aliviate concerns, PAT all our outbound connections to a single IP address.

How this is done in 8.3 (2)? ASDM to configure the 5540. For example, our class b is 159.12.0.0 and the PAT would have IP address will be 199.30.36.6.

You can try:

purpose of group 159.12.0.0_VPN

network-object 159.12.0.0 255.255.0.0

purpose of group 199.30.36.6_VPN_PAT

Home 199.30.36.6

object group remote_location

network-object

NAT (interface, interface) dynamic source 159.12.0.0_VPN destination 199.30.36.6_VPN_PAT static remote_location remote_location

I would only give it a shot... You would NATting twice he... (You should replace 'interface', 'interface' with the actual interface names. You probably already knew that.)

Disable the NAT for VPN site-to-site

Hello world

I work in a company, and we had to make a VPN site-to site.

Everything works fine, except that the packages sent to my site are translated, in other words: the firewall on the other site (site_B) see only the IP address of my firewall (Site_A).

I tried to solve the problem, but without success, I think that natives of VPN packets is the problem.

Here is my current config running:

ASA Version 8.3(2)

hostname ciscoasa

enable password 9U./y4ITpJEJ8f.V encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address 192.168.67.254 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 41.220.X.Y 255.255.255.252 (External WAN public IP Address)

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

ftp mode passive

clock timezone CET 1

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network 41.220.X1.Y1

host 41.220.X1.Y1

object network NETWORK_OBJ_192.168.67.0_24

subnet 192.168.67.0 255.255.255.0

object network NETWORK_OBJ_172.19.32.0_19

subnet 172.19.32.0 255.255.224.0

object network 194.2.176.18

host 194.2.XX.YY (External IP address public of the other site (Site_B))

description 194.2.XX.YY

access-list inside_access_in extended permit ip any any log warnings

access-list inside_access_in extended permit ip object NETWORK_OBJ_172.19.32.0_19 object NETWORK_OBJ_192.168.67.0_24 log debugging

access-list inside_access_in extended permit ip object 194.2.176.18 any log debugging

access-list inside_access_in extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

access-list outside_1_cryptomap extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0 log debugging

access-list outside_1_cryptomap extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

access-list 1111 standard permit 172.19.32.0 255.255.224.0

access-list 1111 standard permit 192.168.67.0 255.255.255.0

access-list outside_1_cryptomap_1 extended permit ip 172.19.32.0 255.255.224.0 any log debugging

access-list outside_1_cryptomap_1 extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

access-list outside_1_cryptomap_2 extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0 log debugging

access-list outside_1_cryptomap_2 extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

access-list outside_access_in extended permit ip any any log warnings

access-list outside_access_in extended permit ip object 194.2.XX.YY any log debugging

access-list outside_access_in extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

access-list nonat extended permit ip 192.168.67.0 255.255.255.0 176.19.32.0 255.255.224.0

access-list nonat extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0

pager lines 24

logging enable

logging monitor informational

logging asdm warnings

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 destination static NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 41.220.X.Y 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.67.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap_2

crypto map outside_map 1 set peer 194.2.XX.YY

crypto map outside_map 1 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

telnet 192.168.67.200 255.255.255.255 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 30

console timeout 0

dhcpd auto_config outside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username bel_md password HSiYQZRzgeT8u.ml encrypted privilege 15

username nebia_said password qQ6OoFJ5IJa6sgLi encrypted privilege 15

tunnel-group 194.2.XX.YY type ipsec-l2l

tunnel-group 194.2.XX.YY ipsec-attributes

pre-shared-key *****

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect ipsec-pass-thru

service-policy global_policy global

prompt hostname context

Cryptochecksum:0398876429c949a766f7de4fb3e2037e

: end

If you need any other information or explanation, just ask me.

My firewall model: ASA 5505

Thank you for the help.

Hey Houari,.

I suspect something with the order of your NATing statement which is:

NAT (inside, outside) static static source NETWORK_OBJ_172.19.32.0_19 destination NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_172.19.32.0_19

Can you please have this change applied to the ASA:

No source (indoor, outdoor) nat static static NETWORK_OBJ_172.19.32.0_19 destination NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_172.19.32.0_19

NAT (inside, outside) 1 static source NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 static destination NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19

Try and let me know how it goes.

If she did not help, please put the output form a package tracer will shape your internal network to the remote VPN subnet with the release of «see the nat detail»

HTH,

Mo.

Rule of NAT for vpn access... ?

Hey, putting in place the vpn ssl via the client Anyconnect on a new ASA 5510, ASA ASDM 6.4.5 8.4.2.

I am able to 'connect' through the anyconnect client, & I am assigned an ip address from the pool of vpn that I created, but I can't ping or you connect to internal servers.

I think that I have configured the split tunneling ok following the guide below, I can browse the web nice & quickly while connected to the vpn but just can't find anything whatsoever on the internal network.

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080975e83.shtml

I suspect her stockings for a nat rule, but I am a bit stuck if it should be a rule of nat object network or if it must be dynamic/static & if its between the external interface or external ip & network inside or the VPN (I created the pool on a different subnet), or a 'Beach' (but then I am getting overlapping ip errors when I try to create a rule for a range of IP addresses.

Any advice appreciated,

Hi Eunson,

After have connected you to the ASA that clients receive an IP address, let's say 192.168.10.0/24 pool, the network behind the ASA is 192.168.20.0/24.

On the SAA, you would need an NAT exemption for 192.168.20.0 to 192.168.10.0

Create two groups of objects, for pool VPN and your itnernal LAN.

object-group network object - 192.168.20.0

object-network 192.168.20.0 255.255.255.0

object-group network object - 192.168.10.0

object-network 192.168.10.0 255.255.255.0

NAT (inside, outside) 1 source static object - 192.168.20.0 object - 192.168.20.0 destination static object - 192.168.10.0 object - 192.168.10.0 non-proxy-arp-search to itinerary

At the inside = interface behind which is your LOCAL lan

Outside = the interface on which the Clients connect.

If you can't still access then you can take the shot on the inside interface,

create and acl

access-list allowed test123 ip host x.x.x.x y.y.y.y host

access-list allowed test123 ip host host x.x.x.x y.y.y.y

interface test123 captures inside test123 access list

view Cape test123

It will show if the packages are extinguished inside the interface and if we see that the answers or not. If we have all the answers, this means that there might be a routing on the internal LAN problem as devices know may not be not to carry the traffic of 192.168.10.0 return to the ASA inside the interface.

Or maybe it's that there is a firewall drop packets on your internal LAN.

HTH

Issue of NAT for VPN

If I have a LAN or 10.1.1.0/24 and I want NAT all of the hosts in 192.168.1.0/24. I really don't want to create the object for each unique host network, because it's just for a lot. I just wanted to confirm by creating two objects then natting them must configure a NAT right one?

network object obj - 10.1.1.0

10.1.1.0 subnet 255.255.255.0

!

network object obj - 192.168.1.0

subnet 192.168.1.0 255.255.255.0

!

NAT (inside, outside) source static obj - 10.1.1.0 obj - 192.168.1.0 statick "remotely" destination "at a distance".

Now when the remote network need access to network 10.1.1.0/24 hosts they should just be able to access to?

10.1.1.1 will map to 192.168.1.1

10.1.1.2 will map to 192.168.1.2

10.1.1.3 will map to 192.168.1.3

and so on...?

In addition,

A test on my ASA home

Configuration

the object of the LAN network

10.0.0.0 subnet 255.255.255.0

network of the REMOTE object

subnet 10.0.1.0 255.255.255.0

network of the LAN - NAT object

10.0.100.0 subnet 255.255.255.0

LAN LAN destination - static NAT NAT (LAN, WAN) static source REMOTE

LAN remotely

ASA (config) # packet - trace tcp 10.0.0.10 LAN entry 1025 10.0.1.1 80

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

LAN LAN destination - static NAT NAT (LAN, WAN) static source REMOTE

Additional information:

Definition of static 10.0.0.10/1025 to 10.0.100.10/1025

REMOTE CONTROL FOR LAN

ASA (config) # packet - trace entry WAN tcp 10.0.1.100 1025 10.0.100.10 80

Phase: 1

Type: UN - NAT

Subtype: static

Result: ALLOW

Config:

LAN LAN destination - static NAT NAT (LAN, WAN) static source REMOTE

Additional information:

NAT divert on the LAN of the output interface

Untranslate 10.0.100.10/80 to 10.0.0.10/80

-Jouni

NAT on the VPN traffic

Hello everyone, I need help in a vpn configuration, this is the problem that I need nat all vpn traffic because I net to put into place a vpn but I already have another vpn with the same network, so that overlap with the new one, then how I can nat overlaps all traffic to another network in order to avoid the network?.

Please I really need help

Thank you

You say that the 192.168.1.100 is able to go through the tunnel and the internet now?

Try to add another...

IP nat inside source static 192.168.1.101 10.10.44.101 map route VPN

for example.

Federico.

ASA encrypt interesting VPN traffic

Hello everybody out there using ASA.

I had a few IPSEC VPN tunnels between the company's central site and remote sites.

Two dsl lines were connected to the ASA, one for VPN traffic and the other for the internet.

The default gateway has been configured online internet, some static while insured roads as traffic to the sites of the company was sent through the other line.

A few days ago we changed the configuration of ASA to use only a single dsl connection, then the line serving the internet has been cut, while the other will become the gateway default and static routes have been removed.

The VPN connections instant stopped working and trying to send packets to the remote lan, it seems that ASA will not recognize that the traffic is encrypted. Obviousely we checked cryptomap, acl, ecc, but we find no problem... do you have any suggestions?

Thanks in advance,

Matt

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

XNetwork object network
10.10.0.0 subnet 255.255.255.0

network of the YNetwork object
172.0.1.0 subnet 255.255.255.0

card crypto RB1ITSHDSL001_map2 1 corresponds to the address RB1ITSHDSL001_1_cryptomap
card crypto RB1ITSHDSL001_map2 1 set peer a.b.c.186
RB1ITSHDSL001_map2 1 transform-set ESP-3DES-SHA crypto card game

RB1ITSHDSL001_1_cryptomap list extended access permitted ip XNetwork object YNetwork

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Hello

Your exit the ASA must be encrypting the traffic between XNetwork and YNetwork.

If the ASA does not encrypt this traffic, it could be because there is a problem with the NAT configuration.

When the ASA receives a packet, it must first check if there are ACLs that allows traffic, passes through the inspection engine and check that the associated NAT. For example, if the package is coordinated, then the private IP encryption will never take place.

Could ensure you that packets from the XNetwork are really reach the ASA, the NAT rule is correct and you may be looking for "debugging cry isa 127" and "scream ips 127" debug to check for errors of incompatibility.

In addition, what is the condition of the tunnel trying to communicate: "sh cry isa his"

Federico.

Two links one for VPN Site to Site and another for internet on the same router configuration

Hi all

I have 2 internet links an ADSL and lease terminated on the same router. I need to configure ADSL for VPN site-to-site of HO and internet leased line dedicated for all users.

my site IP subnet is 10.10.100.0/24 and HO subnet is 10.1.0.0/24. Please find attached Config and advice it will be OK and works fine

Thanks in advance...

Mikael

Hello

For me, it looks like it has configured the route correctly;

ip route 0.0.0.0 0.0.0.0 fastethernet4 -> for all traffic to the internet.

Road 10.1.0.0 ip 255.255.255.0 Dialer1 -> for vpn traffic to HO.

The public_IP_HO must be defined according to the map of encryption using the set by the peers command.

I want to add is on the isakmp policy hash attribute, you can choose between sha/md5 or whatever available on your device. Make sure that the isakmp policy to match political isakmp of your HO.

The other thing is the acl for the internet. You may want to consider replacing the deny statement if you want to deny traffic only to your jar currently it is said to deny all traffic 10.10.100.0 10.0.0.0 network, not to the 10.1.0.0 HO (network).

HTH,

VPN needs access to all external internal vpn traffic traffic all in tunnel

Hello

Could someone help me find the problem?

I am ASA configuration as firewall + vpn server, essentially outside of the device's access T1 (there are two VLANS in inside via an iptables, outside of iptables is on the same vlan as insdie of ASA (192.168.5.1 and 192.168.5.2).) VPN users are authenticated via authentication 2 factors (SDI, ip is 192.168.5.5) and get the ACL by local database. pool of VPN is 192.168.6.1 - 192.168.6.15. pool of VPN is coordinated to the external IP address

trying to access a remote host A from the host a is open for the IP and one specific Protocol. all vpn traffic are in the tunnel. the VPN user can connected and ACL vpnuser1_ONLY not working does not as expected.

Here is the part of configuration:

ASA Version 8.2 (2)
...........

Route outside 0.0.0.0 0.0.0.0 xx.10.194.193 1

Route inside companynet1 255.255.255.0 192.168.5.2 1

Route inside companynet2 255.255.255.0 192.168.5.2 1

Route inside companynet3 255.255.255.0 192.168.5.2 1

Route inside companynet4 255.255.255.0 192.168.5.2 1

...............

Route inside companynetn 255.255.255.0 192.168.5.2 1

NAT (inside) 4 vpnpool 255.255.255.0 outside <--------- is="" this="">

Global (outside) 4 xx.10.194.238 netmask 255.255.255.255

Split-tunnel-policy tunnelall

.....................

vpnuser1_ONLY list extended access permitted tcp vpnpool 255.255.255.0 192.168.1.28 host 255.255.255.255 eq ssh connect

vpnuser1_ONLY list extended access permitted tcp vpnpool 255.255.255.0 74.2.23.195 host 255.255.255.255 eq ssh connect

............

enable SVC

tunnel-group-list activate

attributes of Group Policy DfltGrpPolicy

VPN - connections 8

VPN-idle-timeout 10

VPN-session-timeout 60

Protocol-tunnel-VPN l2tp ipsec

WebVPN

SVC Dungeon - install any

time to generate a new key of SVC 8

SVC generate a new method ssl key

SVC request no svc default

internal GroupPolicy1 group strategy

attributes of Group Policy GroupPolicy1

VPN - connections 1

VPN-idle-timeout 9

VPN-session-timeout 45

VPN-tunnel-Protocol svc

Split-tunnel-policy tunnelall

WebVPN

SVC Dungeon - install any

time to generate a new key of SVC 15

SVC generate a new method ssl key

client of dpd-interval SVC 30

dpd-interval SVC 30 bridge

value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. For more information, contact your COMPUTER administrator.

disable the SVC routing-filtering-ignore

username vpnuser1 encrypted password xxxxxxx

username vpnuser1 attributes

VPN-group-policy GroupPolicy1

VPN-idle-timeout 6

VPN-session-timeout 20

VPN-filter value vpnuser1_ONLY

VPN-tunnel-Protocol svc

value of group-lock COMAVPN

type of remote access service

tunnel-group DefaultRAGroup webvpn-attributes

Disable group companyvpn aliases

type tunnel-group COMAVPN remote access

attributes global-tunnel-group COMAVPN

address (inside) vpnpool pool

address vpnpool pool

SDI Group-authentication server

authentication-server-group (inside) SDI

LOCAL authority-server-group

Group Policy - by default-GroupPolicy1

tunnel-group COMAVPN webvpn-attributes

activation of the Group companyremote alias

I did anything wrong / missing?

Thank you

Yijun

First of all, you can set "no nat-control" because once you have relieved of NAT, 'no nat-control' becomes disable anyway. 'No nat-control' is useful if you have no statement of NAT at all on the interface.

Second, if you can't access the outside inside which is because you must configure the NAT exemption. Not sure if you have configured it.

Here's the command:

access-list allowed sheep ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

NAT (inside) 0 access-list sheep

You can then add all other subnets that are internal to the ACL sheep if you need VPN access.

Finally, for the error message deny on access-group "OUTSIDE", you would need check if you have configured "sysopt connection VPN-enabled'. If it is disabled, it will also check the "OUTSIDE" interface for VPN traffic.

7.2 ASA5520 - filters VPN traffic

Hi all,

I would like to know how can I filter out VPN traffic with a list of access, by using the source address and port of destination as filters.

I tried with "no sysopt permit vpn connection" but it is to filter the traffic through the VPN tunnel and I want to filter the host which can establish the VPN tunnel.

I did it in a router with this access list:

Note access-list 101 VPN

access-list 101 permit ahp host x.x.x.x everything

access-list 101 permit esp host x.x.x.x any newspaper

access-list 101 permit host x.x.x.x esp all

access-list 101 permit udp host x.x.x.x any eq isakmp

access-list 101 permit udp host x.x.x.x any eq non500-isakmp

But I tried the same thing in the ASA and does not work, I think it's because the ASA does not apply the access list for VPN traffic.

Sincerely, Fernando.

Fernando

You can disable it with "no crypto isakmp are outside", but then even if you apply an acl to the outside which allows all IP, ESP, AH it still does not allow an IPSEC connection.

So for the moment I see no way to do this without using an acl on your router upstream.

I'll do a reading just in case I missed something.

Jon

Traffic permitted only one-way for VPN-connected computers

Hello

I currently have an ASA 5505. I put up as a remote SSL VPN access. My computers can connect to the VPN very well. They just cannot access the internal network (192.168.250.0). They cannot ping the inside interface of the ASA, nor any of the machines. It seems that all traffic is blocked for them. The strange thing is that when someone is connected to the VPN, I can ping this ASA VPN connection machine and other machines inside the LAN. It seems that the traffic allows only one way. I messed up with ACL with nothing doesn't. Any suggestions please?

Pool DHCP-192.168.250.20 - 50--> for LAN

Pool VPN: 192.168.250.100 and 192.168.250.101

Outside interface to get the modem DHCP

The inside interface: 192.168.1.1

Courses Running Config:

: Saved

:

ASA Version 8.2 (5)

!

hostname HardmanASA

activate the password # encrypted

passwd # encrypted

names of

!

interface Ethernet0/0

switchport access vlan 20

!

interface Ethernet0/1

switchport access vlan 10

!

interface Ethernet0/2

switchport access vlan 10

!

interface Ethernet0/3

Shutdown

!

interface Ethernet0/4

Shutdown

!

interface Ethernet0/5

Shutdown

!

interface Ethernet0/6

Shutdown

!

interface Ethernet0/7

switchport access vlan 10

!

interface Vlan1

No nameif

no level of security

no ip address

!

interface Vlan10

nameif inside

security-level 100

IP 192.168.250.1 255.255.255.0

!

interface Vlan20

nameif outside

security-level 0

IP address dhcp setroute

!

passive FTP mode

DNS lookup field inside

DNS domain-lookup outside

pager lines 24

Within 1500 MTU

Outside 1500 MTU

mask 192.168.250.100 - 192.168.250.101 255.255.255.0 IP local pool VPN_Pool

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global interface 10 (external)

NAT (inside) 10 192.168.250.0 255.255.255.0

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication

Enable http server

http 192.168.250.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Telnet timeout 5

SSH 192.168.250.0 255.255.255.0 inside

SSH timeout 5

SSH version 2

Console timeout 0

dhcpd dns 8.8.8.8

!

dhcpd address 192.168.250.20 - 192.168.250.50 inside

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

allow outside

SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image

Picture disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 SVC

enable SVC

tunnel-group-list activate

attributes of Group Policy DfltGrpPolicy

value of server DNS 8.8.8.8

Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

tunnel-group AnyConnect type remote access

tunnel-group AnyConnect General attributes

address pool VPN_Pool

tunnel-group AnyConnect webvpn-attributes

enable AnyConnect group-alias

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

Review the ip options

inspect the netbios

inspect the rsh

inspect the rtsp

inspect the skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect the tftp

inspect the sip

inspect xdmcp

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:30fadff4b400e42e73e17167828e046f

: end

Hello

No worries

As we change the config I would do as well as possible.

First, it is strongly recommended to use a different range of IP addresses for VPN clients and the internal network

No VPN_Pool 192.168.250.100 - 192.168.250.101 255.255.255.0 ip local pool mask

mask 192.168.251.100 - 192.168.251.101 255.255.255.0 IP local pool VPN_Pool

NAT_0 ip 192.168.250.0 access list allow 255.255.255.0 192.168.251.0 255.255.255.0

NAT (inside) 0-list of access NAT_0

Then give it a try and it work note this post hehe

VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network

Hello

I'm a little confused as to which is the problem. This is the premise for the problem I have face.

One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.

Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)

So essentially the encryption field is configured as follows:

access-list line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
access-list line 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
access-list line 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173)

Free NAT has been configured as follows (names modified interfaces):

NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP

the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202

NAT (interface2) 0-list of access VPN-SHEEP

VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252

After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.

There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)

The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.

Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).

This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
MAC access list

Phase: 2
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new stream

Phase: 3
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.82.0.200 255.255.255.252 outside

Phase: 4
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:
Access-group interface interface1
access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
Additional information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:

Phase: 6
Type: INSPECT
Subtype: np - inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
Policy-map global_policy
class inspection_default
inspect the http
global service-policy global_policy
Additional information:

Phase: 7
Type: FOVER
Subtype: Eve-updated
Result: ALLOW
Config:
Additional information:

Phase: 8
Type: NAT-FREE
Subtype:
Result: ALLOW
Config:
NAT-control
is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
Exempt from NAT
translate_hits = 32, untranslate_hits = 35251
Additional information:

-Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
NAT-control
is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
static translation at 10.231.0.0
translate_hits = 153954, untranslate_hits = 88
Additional information:

-Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet

Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (interface1) 5 10.231.191.0 255.255.255.0
NAT-control
is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
dynamic translation of hen 5 (y.y.y.y)
translate_hits = 3048900, untranslate_hits = 77195
Additional information:

Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:

Phase: 12
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:

Phase: 14
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 1047981896 id, package sent to the next module

Result:
input interface: interface1
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow

So, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?

And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.

access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
current_peer: y.y.y.y

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.

Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)

If there is any essential information that I can give, please ask.

-Jouni

Jouni,

8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).

If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)

Marcin

NATting for VPN traffic only

Similar Questions

Maybe you are looking for