Networks VPN NAT l2l problem-Dup-HELP!
I use a router IOS as a VPN L2L device to connect my site to several different customer locations, some of them use the same internal IP addresses. These VPNS have been working well.
I recently added another client to this system and I am now having a problem with the new configuration. With this configuration, I have NAT my internal addresses. NAT works correctly, but it NAT my bad common NAT addresses and therefore do not generate the tunnel.
My internal IP 10.10.x.x
incorrect NAT pool 10.129.x.x
decent NAT pool 10.99.x.x
Help... :))
Thank you
The problem is simple. You have almost an identical ACL for two guests. As the first NAT rule has been added previously, it comes into play. To resolve this issue, you must set explicit host/subnet destination match instead of 'none' keyword.
For example like this:
ip access-list extended ME-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 10.10.131.63
ip access-list extended ME-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63
ip access-list extended SA-CRYPTO-ACL
permit ip 10.96.21.0 0.0.0.255 host 10.99.2.95
ip access-list extended SA-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.99.2.95
Another solution is more complex and harder to understand (and explain), you can use Virtual models with tunnel-protection for each customer, VRF and NAT for common services.
___
HTH. Please rate this post if this has been helpful. If it solves your problem, please mark this message as "right answer".
Tags: Cisco Security
Similar Questions
-
Need help to configure VPN NAT traffic to ip address external pool ASA
Hello
I need to configure vpn NAT ip address traffic external pool ASA
For example.
Apart from the ip address is 1.1.1.10
VPN traffic must be nat to 1.1.1.11
If I try to configure policy nat or static nat ASA gives me error "global address of overlap with mask.
Please, help me to solve this problem.
Thank you best regards &,.
Ramanantsoa
Thank you, and since you are just 1 IP 1.1.1.11 Polo, the traffic can only be initiated from your site to the remote end.
Here is the configuration of NAT:
access list nat - vpn ip 192.168.1.0 allow 255.255.255.0 10.0.0.0 255.255.0.0
NAT (inside) 5 access list nat - vpn
Overall 5 1.1.1.11 (outside)
In addition, the ACL crypto for the tunnel from site to site should be as follows:
access-list allow 1.1.1.11 ip host 10.0.0.0 255.255.0.0
Hope that helps.
-
Site to Site VPN of IOS - impossible route after VPN + NAT
Hello
I have problems with a VPN on 2 routers access 8xx: I am trying to set up a quick and dirty VPN Site to Site with a source NAT VPN tunnel endpoint. This configuration is only intended to run from one day only inter. I managed to do the work of VPN and I traced the translations of NAT VPN tunnel endpoint, but I couldn't make these translated packages which must move outside the access router, because intended to be VPN traffic network is not directly connected to leave the router. However, I can ping the hosts directly connected to the router for access through the VPN.
Something done routing not to work, I don't think the NATing, because I tried to remove the NAT and I couldn't follow all outgoing packets that must be sent, so I suspect this feature is not included in the IOS of the range of routers Cisco 8xx.
I'm that extends the features VPN + NAT + routing too, or is there a configuration error in my setup?
This is the configuration on the router from Cisco 8xx (I provided only the VPN endpoint, as the works of VPN endpoint)
VPN endpoints: 10.20.1.2 and 10.10.1.2
routing to 192.168.2.0 is necessary to 192.168.1.2 to 192.168.1.254
From 172.31.0.x to 192.168.1.x
!
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname INSIDEVPN
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxx
!
No aaa new-model
!
!
dot11 syslog
no ip cef
!
!
!
!
IP domain name xxxx.xxxx
!
Authenticated MultiLink bundle-name Panel
!
!
username root password 7 xxxxxxxxxxxxxx
!
!
crypto ISAKMP policy 10
BA 3des
preshared authentication
ISAKMP crypto key address 10.20.1.2 xxxxxxxxxxxxx
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac VPN-TRANSFORMATIONS
!
CRYPTOMAP 10 ipsec-isakmp crypto map
defined by peer 10.20.1.2
game of transformation-VPN-TRANSFORMATIONS
match address 100
!
Archives
The config log
hidekeys
!
!
LAN controller 0
line-run cpe
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
Shutdown
!
interface FastEthernet0
switchport access vlan 12
No cdp enable
card crypto CRYPTOMAP
!
interface FastEthernet1
switchport access vlan 2
No cdp enable
!
interface FastEthernet2
switchport access vlan 2
No cdp enable
!
interface FastEthernet3
switchport access vlan 2
No cdp enable
!
interface Vlan1
no ip address
!
interface Vlan2
IP 192.168.1.1 255.255.255.248
NAT outside IP
IP virtual-reassembly
!
interface Vlan12
10.10.1.2 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
card crypto CRYPTOMAP
!
IP forward-Protocol ND
IP route 192.168.2.0 255.255.255.0 192.168.1.254
IP route 10.20.0.0 255.255.0.0 10.10.1.254
Route IP 172.31.0.0 255.255.0.0 Vlan12
!
!
no ip address of the http server
no ip http secure server
IP nat inside source static 172.31.0.2 192.168.1.11
IP nat inside source 172.31.0.3 static 192.168.1.12
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.255.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 172.31.0.0 0.0.255.255
!
!
control plan
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
password 7 xxxxxxxxx
opening of session
!
max-task-time 5000 Planner
end
Hi Jürgen,
First of all, when I went through your config, I saw these lines,
!
interface Vlan2
IP 192.168.1.1 255.255.255.248
!
!
IP route 192.168.2.0 255.255.255.0 192.168.1.254
!
With 255.255.255.248 192.168.1.1 and 192.168.1.254 subnet will fall to different subnets. So I don't think you can join 192.168.2.0/24 subnet to the local router at this point. I think you should fix that first.
Maybe have 192.168.1.2 255.255.255. 248 on the router connected (instead of 192.168.1.254)
Once this has been done. We will have to look at routing.
You are 172.31.0.2-> 192.168.1.11 natting
Now, in order for that to work, make sure that a source addresses (192.168.1.11) NAT is outside the subnet router to router connected (if you go with 192.168.1.0/29 subnet router to router, with 192.168.1.1/29 on the local router and 192.168.1.2/29 on the connected router as suggested, it will be fine). So in this case 192.168.1.8/29 to the subnet that your NAT would be sources fall.
Have a static route on the router connected (192.168.1.2) for the network 192.168.1.8/29 pointing 192.168.1.1,
!
IP route 192.168.1.8 255.255.255.248 192.168.1.1
!
If return packets will be correctly routed toward our local router.
If you have an interface on the connected rotuer which includes the NAT would be source address range, let's say 192.168.1.254/24, even if you do your packages reach somehow 192.168.2.0/24, the package return never goes to the local router (192.168.1.1) because the connected router sees it as a connected subnet, so it will only expire
I hope I understood your scenario. Pleae make changes and let me know how you went with it.
Also, please don't forget to rate this post so useful.
Shamal
-
«Problem with access point or wireless adapter»
Hi, I just bought a new laptop & I have the extreme difficulty to stay connected to the internet. When I run Windows Network Diagnostics, error reads 'Problem with wireless adapter or access point' and fails to solve the problem. Help, please... Thank you, MariaHI Maria,
· What operating system is installed on your computer?
· You have installed the latest drivers for wireless network card?
Follow the suggestions below for a possible solution:
Method 1: Start your computer in a clean boot state in order to check if the applications of third parties or startup items is the origin of the problem.
How to troubleshoot a problem by performing a clean boot in Windows Vista or in Windows 7
http://support.Microsoft.com/kb/929135
Note: After troubleshooting, make sure that you configure the computer to start as usual as mentioned in step 7 in the above article.
Method 2: See these articles for solve wireless problems:
Why can't I connect to the Internet?
http://Windows.Microsoft.com/en-us/Windows7/why-can-t-I-connect-to-the-Internet
How can I troubleshoot network card?
http://Windows.Microsoft.com/en-us/Windows7/fix-network-adapter-problems
Windows wireless and wired network connection problems
Let us know if that helps.
-
Windows Vista can not launch problem of checkers: try to re-launch your game. If the problem persists, it may be network with the server problems or a problem with the configuration of your firewall. Please check your firewall settings by visiting the Open Ports FAQ.
Original title: launch of the problems of checkers:
Hello
If you have not yet tried to disable the antivirus/firewall software, then try the following steps to disable them.
Disable the anti-virus software: http://windows.microsoft.com/en-US/windows-vista/Disable-antivirus-software
Enable or disable Windows Firewall: http://windows.microsoft.com/en-US/windows-vista/Turn-Windows-Firewall-on-or-off
IMPORTANT: Antivirus software can help protect your computer against viruses and other security threats. In most cases, you should not disable your antivirus software. If you do not disable temporarily to install other software, you must reactivate as soon as you are finished. If you are connected to the Internet or a network during the time that your antivirus software is disabled, your computer is vulnerable to attacks
-
Config VM to work on 2 physical networks using NAT
We have a number of laptops used by our beta-testers who run VMware player 3.1.4
The Configuration of the network looks like:
192.168.x.0 24 (physical NIC)
(Windows 7 32 bit - TAN - XP VM host
Internet - LAN (Wireless) Corp.
IF I configure NAT to use 192.168.x.0 then the virtual machine can talk to the network very well, the problem is that it must arrive at the LAN Corp. to pick up software licenses.
192.168.x.0 address changes based on what current work. So it would be better if the solution was flexable
What about adding a second NIC uses mode to virtual machines?
-
network to access the problem on a virtual computer
Hello
I have a server with esxi 4, and I created a new virtual machine. My problem is that I don't know how to configure the ethernet card in my VM.
The server has a single adapter ethernet, with a public IP address. The network configuration is default of esxi: a physical card connected to a virtual switch. My problem is that I don't know what IP should I give the machine virtual eth0, and how I can tell that this public IP is connected to my virtual computer. Here is my network configuration:
If anyone can help me, I realize that I'm very bad when it comes to networking
Thank you
It cannot be the same IP address as the host. Try one upwards or downwards to the IP address of the host. So that nothing else on the network has the same IP address. Make sure you have the right subnet mask and default gateway (the IP address of your router)
-
my Iphone 5 was automatically turned off, and then I couldn't go? What is the problem please help me?
Have you tried to connect your iPhone to iTunes or the wall charger and let your iPhone for 5-10 minutes to charge its battery?
-
Hello I have a macbook pro 2011 and in a few days I had my swelling of the battery and after that I ordered a new and only for a day, it uses my new battery began to swell again, what could be the problem? Help me, I am a student that I can't do it by new
is it because of power problems?
Take it back to the Apple Store and ask them to check it out. It should be under warranty. Bring the MBP along too. It sounds like there might be a problem with it.
-
Error: "Windows cannot open help and Support." "To solve the problem, see Help and support.
Original title: help & support
When you try to use help and Support on the start menu, a small window opens saying "Windows cannot open help and Support." To troubleshoot the problem, see Help and support. "It's double Dutch to me. Can someone help, please?
Hi EdwardBahr,-Remember to make changes to the computer between the calendar when things worked fine and now?Try the steps listed in the following article and check, if it helps in fixing the issue: -
I can't send or receive any e-mail and the error code: 0x800CCC19 I call the provider and they say it's a software problem. Help, please
1. Windows Mail. But he argued that email account for more than a year without problem.
2 here is the full error message:
"Are subject: how pumpkin pies are made ', account: 'pop3.live.com', server: 'smtp.live.com', Protocol: SMTP, Port: 25, secure (SSL): Yes, error number: 0x800CCC19.
("How pumpkin pies are doing it" the subject of an email I tried to answer to and it does not work)
I get another message when sending email: "your POP2 server has not responded in 60 seconds. You want to wait 60 seconds for the server to respond? »
And I'm waiting for 60 seconds, several times and it does not send
It was 1 year there, not more. Not sure when it started.
Read this article from Microsoft Help Support &:http://support.Microsoft.com/default.aspx/KB/926374
t-4-2
-
whenever I select any folder or any icon in my computer win 7 I get a popup to remove this icon why this error comes how can I solve this problem pls help me
Hello
1. don't you make changes to the computer until the problem occurred?
2. What is the exact error message do you get?
I suggest you try the steps mentioned below and check if it helps.
Method 1: Start your system in safe mode and check if the same problem occurs.
http://Windows.Microsoft.com/en-us/Windows-Vista/start-your-computer-in-safe-mode
Method 2 : If the issue does not exist in Mode safe mode then try to put your computer in a clean boot state.
By setting your boot system minimum state helps determine if third-party applications or startup items are causing the problem.
How to troubleshoot a problem by performing a clean boot in Windows Vista or Windows 7:
http://support.Microsoft.com/kb/929135Note: After the boot minimum troubleshooting step, follow step 7 in the link provided to return the computer to a Normal startup mode.
Follow these steps to reset the computer to start as usual:
(a) click on start toreduce this top that i, type msconfig.exe in the Start Search box and press ENTER.
If you are prompted for an administrator password or for confirmation, type your password, or click continue.
(b) under the general tab, click the Normal startup option, and then click OK.
(c) when you are prompted to restart the computer, click restart.
Method 3:
Also scan your computer from the Microsoft Security Scanner, which would help us to get rid of viruses, spyware and other malicious software.
The Microsoft Security Scanner is a downloadable security tool for free which allows analysis at the application and helps remove viruses, spyware and other malware. It works with your current antivirus software.
http://www.Microsoft.com/security/scanner/en-us/default.aspx
Note: The Microsoft Safety Scanner ends 10 days after being downloaded. To restart a scan with the latest definitions of anti-malware, download and run the Microsoft Safety Scanner again.
Hope this information is useful.
-
At work, my photoshop CS6 is printing so slow, it takes up to 1 minute to produce printing. We have a printer Canon Imagepress C700. What can be the problem? Help please, anyone!
Tells us that the problem is in the printer itself or the printer driver - because Photoshop and InDesign do not share any code to print (they don't use even the same APIs to print).
-
With this new update (2.1.0.108), sync no longer works, what's the problem? Help, please!
With this new update (2.1.0.108), sync no longer works, what's the problem? Help, please!
Have you checked this:
- Accident every minute or so, after an automatic update to 2.1.0.108 - Adobe database synchronization
- https://helpx.Adobe.com/x-productkb/global/creative-cloud-crash-core-sync.html
Concerning
Stéphane
-
I try to install Photoshop for a free trial and it fails every time. I installed creative cloud with no problems. Help?
What is the error message?
If there is none and the problem occurs during the installation, errors in the Installation and launch journal | CS5.5, CS5, CS6, CC
Maybe you are looking for
-
How can I import from Outlook 2007 when the option is grayed out?
I'm moving from Outlook 2007 to Thunderbird. All is well until now, but I need to import my old mails from Outlook. When I go to tools > import > Mail I get options for Eudora, Outlook, and Outlook Express. Eudora and Outlook options are grayed out.
-
What model of laptop is SA50-532
My Satellite has the label SA50-532 and the model # PSA50E! To download a sound driver, I need to identify the model but can not find a proper selection. Who can help?Thanks Gonzo
-
Apple Watch do not load to turn on
Hello everyone. I just got my new Apple Watch sport this morning in the mail today on amazon. Once I unpacked the watch he immediately alerted saying me: it must be charged. I put it on its charger and hours later his watch still green screw saying h
-
How to use an analog signal to conditionally generate a TTL (or a square function) signal?
Hello world I am using PCI-6229 and try to develop a code that can generate a TTL/place function signal from only one analog entry satisfies following conditions: 1. crossing a certain value (for example, 0 V); 2 slope edge of fall. The time delay be
-
My printer prints on the side, how do I get it to print from top to bottom, I use it with my lenovo tablet, which is wireless.