no nat over vpn after vpn
I have a site (my ASA) vpn to the site (provider) with a nat on the external interface device and work well. Rear (my ASA) VPN I have other site vpn (service A) for the site (my ASA) and work as well.
My problem is the traffic of my branch A provider is clearly have no nat.
My ASA
object-group network attached
object-network 192.168.1.0 255.255.255.0
object-group network provider
network-object 172.22.0.0 255.255.0.0
the allmyBranch object-group network
object-network 192.168.0.0 255.255.0.0
extended inside permit access list ip object-group reteInside-group of objects plugged
access list inside extended permit ip object-group allmyBranch-provider objects
allowed to access extensive ip list nat0_acl object-group reteInside-group of objects plugged
list of access VPN-Hots extended permitted ip object-group reteInside-group of objects plugged
list of access VPN-provider allowed extended ip outside of the provider object-group interface
list of access VPN-provider allowed extended ip object-group allmyBranch-provider objects
permit ToSupplier to access extended ip object-group allmyBranch-group of objects provider list
Global 1 interface (outside)
NAT (inside) 0-list of access nat0_acl
NAT (inside) 1 access-list ToSupplier
do you have any idea how solve it? is this possible?
Thank you
I'm glad to hear that.
If the problem is resolved and that you find it useful, if Please assess the threat and mark it as answered :-)
Thank you.
Federico.
Tags: Cisco Security
Similar Questions
-
Hello
I just want to ask if it is possible to NAT pool users to remote access ip VPN to the router is outside the IP address? The router is a Cisco1841.
Thank you!
Patricia,
Are you referring to Polo your RA IP pool using your external interface just like you with your LAN subnets in ip nat overload?, if so this link illustrates similar example using the road map, PLS let know us if this isn't what you're looking for and if you could perhaps develop as that is what you try to accomplish.
Concerning
-
ASA 8.4 (1) source-nat over vpn site-to-site
I'm setting up a tunnel vpn site-to-site and require nat for the local and remote side. The remote side will be nat to
10.2.255.128/25 on their face before they reach our network, so I have to only source-nat our servers via the tunnel to them. Should I just do the static NAT, then let the whole subnet through the acl of valuable traffic as the config below? I don't think I should use twice a nat because I'm not trying to make the destination nat on the firewall. Servers with us will 10.2.255.128/25 and I would like to preserve it through the ASA.
network of the ServerA object
host 10.1.0.1
NAT 10.2.255.1 static (inside, outside)
network of the object server b
host 10.1.0.2
NAT 10.2.255.2 static (inside, outside)
the object server c network
host 10.1.0.3
NAT 10.2.255.3 static (inside, outside)
the LOCAL_SUBNET object-group network
object-network 10.2.255.0 255.255.255.128
the REMOTE_SUBNET object-group network
object-network 10.2.255.128 255.255.255.128
VPN_ACL list extended access permitted ip object-group LOCAL_SUBNET-group of objects REMOTE_SUBNET
Thank you
Your configuration is correct, but I have a few comments. Remember that NAT occurs before the delivery of your servers will be translated into 10.2.255.2 and 10.2.255.3 and then sent through the tunnel, so your encryption field is correct.
Is your internet firewall as well? What your servers out of the internet? They will be translated to 10.2.255.2 and 10.2.255.3 and who will fail in internet routing is. If these servers access the internet through the firewall, I would recommend a configuration like this for each of your servers:
network of the ServerA_NAT object
Home 10.2.255.1
NAT static ServerA ServerA_NAT destination (indoor, outdoor) static source REMOTE_SUBNET REMOTE_SUBNET
This will use destination basic NAT for traffic VPN and NAT everything to a public IP address for the internet traffic. Of course, if this is not your internet connection firewall can do abstraction.
-
I have a question about how the traffic is game and in what order to a tunnel L2L. See the attached diagram. Side ASA5520 I configured the 192.168.12.0/24 NAT 10.252.43.0/24 subnet addresses as follows:
Global (outside) 1 10.252.43.0 netmask 255.255.255.0
NAT (inside) 1 192.168.12.0 255.255.255.0
Now, I want to send traffic to the 192.168.12.0/24 subnet for the subnet 10.10.26.0/24 above the tunnel. Which addresses correspond to side ASA5520 of the tunnel?
I don't know if it should be:
to_pix525 to access extended list ip 192.168.12.0 allow 255.255.255.0 10.10.26.0 255.255.255.0
or
access extensive list ip 10.252.43.0 to_pix525 allow 255.255.255.0 10.10.26.0 255.255.255.0
Thank you
-mike
Please change the acl on nat0inside as follows:
nat0inside to access extended list ip 192.168.12.0 allow 255.255.255.0 10.10.26.0 255.255.255.0
Everything else is fine.
--
Robet
-Please rate the solutions.
-
Try to send all traffic over VPN
Hello
I have a Cisco 871 router on my home cable modem connection. I am trying to set up a VPN, and I want to send all traffic over the VPN from connected clients (no split tunnel).
I can connect to the VPN and I can ping/access resources on my home LAN when I'm remote but access to the internet channels.
If its possible I would have 2 Configuration of profiles according to connection 1 connection sends all traffic to the vpn and the connection on the other split tunneling but for now, I'd be happy with everything just all traffic go via the VPN.
Here is my config.
10.10.10.xxx is my home network inside LAN
10.10.20.xxx is the IP range assigned when connecting to the VPN
FastEthernet4 is my WAN interface.
Kernel #show run
Building configuration...Current configuration: 4981 bytes
!
version 12.4
service configuration
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
sequence numbers service
!
hostname-Core
!
boot-start-marker
boot-end-marker
!
Security of authentication failure rate 3 log
Passwords security min-length 6
forest-meter operation of syslog messages
no set record in buffered memory
enable secret 5 XXXXX
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authorization exec default local
AAA authorization ciscocp_vpn_group_ml_1 LAN
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint Core_Certificate
enrollment selfsigned
Serial number no
IP address no
crl revocation checking
rsakeypair 512 Core_Certificate_RSAKey
!
!
string Core_Certificate crypto pki certificates
certificate self-signed 01
XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
quit smoking
dot11 syslog
no ip source route
!
!
!
!
IP cef
no ip bootp Server
name of the IP-server 75.75.75.75
name of the IP-server 75.75.76.76
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
!
password username privilege 15 7 XXXXXXXXXXXXX XXXXXXXX
username secret privilege 15 XXXXXXXX XXXXXXXXXXXXX 5
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP client configuration main group
key to XXXXXXX
DNS 75.75.75.75 75.75.76.76
pool SDM_POOL_3
Max-users 5
netmask 255.255.255.0
ISAKMP crypto ciscocp-ike-profile-1 profile
main group identity match
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-model 1
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-3DES-SHA
set of isakmp - profile ciscocp-ike-profile-1
!
!
Crypto ctcp port 64444
Archives
The config log
hidekeys
!
!
synwait-time of tcp IP 10
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
property intellectual ssh version 1
!
!
!
Null0 interface
no ip unreachable
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
Description $ETH - WAN$ $FW_OUTSIDE$
address IP dhcp client id FastEthernet4
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
!
type of interface virtual-Template1 tunnel
Description $FW_INSIDE$
IP unnumbered FastEthernet4
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
ipv4 ipsec tunnel mode
Tunnel CiscoCP_Profile1 ipsec protection profile
!
interface Vlan1
Description $FW_INSIDE$
IP 10.10.10.1 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP nat inside
IP virtual-reassembly
!
local IP SDM_POOL_1 10.10.30.10 pool 10.10.30.15
local IP SDM_POOL_2 10.10.10.80 pool 10.10.10.85
local IP SDM_POOL_3 10.10.20.10 pool 10.10.20.15
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 permanent FastEthernet4
IP http server
access-class 2 IP http
local IP http authentication
no ip http secure server
!
!
the IP nat inside source 1 list the interface FastEthernet4 overload
!
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 10.10.5.0 0.0.0.255
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 Note HTTP access class
Note access-list category 2 CCP_ACL = 1
access-list 2 allow 10.10.10.0 0.0.0.255
access-list 2 refuse any
not run cdp!
!
!
!
!
control plan
!
connection of the banner ^ CThis is a private router and all access is controlled and connected. ^ C
!
Line con 0
no activation of the modem
telnet output transport
line to 0
telnet output transport
line vty 0 4
access-class 2
entry ssh transport
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
endKernel #.
Thanks for your help!
Hi Joseph,.
You need a configuration like this:
customer pool: 10.10.20.0
local networkbehind router: 10.10.10.0
R (config) #ip - list extended access 101
R (config-ext-nacl) 10.10.20.0 ip #deny 0.0.0.255 10.10.10.0 0.0.0.255
R (config-ext-nacl) 10.10.20.0 ip #permit 0.0.0.255 anytype of interface virtual-Template1 tunnel
Description $FW_INSIDE$
political IP VPN route mapR (config) #ip - list extended access 103
R (config-ext-nacl) #permit ip all 10.10.20.0 0.0.0.255R (config) #route - map allowed VPN 10
Ip address of R #match (config-route-map) 101
R (config-route-map) #set interface loopback1
R (config) #route - map allowed VPN 20
Ip address of R #match (config-route-map) 103
R (config-route-map) #set interface loopback1You must now exonerated NAT for VPN traffic:
===================================
R (config) #ip - 102 extended access list
R #deny (config-ext-nacl) ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
R (config-ext-nacl) 10.10.10.0 ip #permit 0.0.0.255 any
R (config-ext-nacl) 10.10.20.0 ip #deny 0.0.0.255 10.10.10.0 0.0.0.255
R (config-ext-nacl) 10.10.20.0 ip #permit 0.0.0.255 anyoverload of IP nat inside source list 102 interface FastEthernet4
Let me know if this can help,
See you soon,.
Christian V
-
We have VPN tunnel in our firewall with the other partner peer. We use ASA 5520 with IOS "asa825-k8" and ASDM version 6.4.
our partner has several services running in this tunnel VPN, including the SIP.
other services work very well only SIP connections cannot come.
the question is we allowed any IP service on the inside and outside interfaces, but this topic could not come to the top.
is - there any SIP over VPN option must be configured on ASA?
Hello
As you can see in the newspapers, it is denied to the inside interface.
If you just need to allow this by opening an ACL for this traffic on port 5060.
I would like to know if it works.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
Making the NAT for VPN through L2L tunnel clients
Hi.I has the following situation in my network. We need for users who log on our site with the VPN clients to connect to another site via a tunnel L2L. The problem is that I need NAT addresses from the pool of VPN client in another beach before going on the L2L tunnel because on the other side, we have duplication of networks.
I tried to do NAT with little success as follows:
ACL for pool NAT of VPN:
Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.0.0 255.255.255.0
Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.5.0 255.255.255.0
NAT:
Global 172.20.105.1 - 172.20.105.254 15 (outdoor)
NAT (inside) 15 TEST access-list
CRYPTO ACL:
allowed ro access list extended LAN ip 255.255.0.0 192.168.0.0 255.255.255.0
allowed ro access list extended LAN ip 255.255.0.0 192.168.5.0 255.255.255.0
IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.0.0 255.255.255.0
IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.5.0 255.255.255.0
permit same-security-traffic intra-interface
Am I missing something here? Something like this is possible at all?
Thanks in advance for any help.
We use the ASA 5510 with software version 8.0 (3) 6.
You need nat to the outside, not the inside.
NAT (outside) 15 TEST access-list
-
SIP over VPN and 1.0.2.6 Firmware RV120W
Updated 1.0.2.6 and all of a sudden devices SIP works via the VPN no longer work. Downgrade from version 1.0.1.3 and they work again. Any ideas? My guess is that some ports are blocked on the VPN in 1.0.2.6
I thought the whole idea was that fixed bugs rather than introduce firmware ugrades.
Suggestion for Cisco:-Zip downloads of image of the firmware, or have an upgrade process which includes a CRC check, as it at least the poor punter will have an indication if they have been damaged. I had a subtle memory problem that corrupts certain files. Download of the firmware seems to fill in correctly and you can log on OK but some menu choices resulted in a deadlock with the "Please wait... the page is loading" message. Thorough check of the file sizes revealed that the file I'm downloading in the router is different in size to those on the site, a few hundred bytes must have been corrupted during the download. But the download was normal with no indication of any errors. It's a pretty basic protection measure that should be there as a no-brainer with the router was conducting a CRC check and showing an error if it fails.
Hello Michael,
Maybe you have active SIP Application layer gateway. Please try to disable this SIP over VPN works great.
Firewall--> avancΘs--> remove the checkbox of the SIP ALG.
Thank you
Nero - UNITED Arab Emirates
-
Summary:
We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.
My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.
Here is the config:
# #List of OUR guests
the OURHosts object-group network
network-host 192.168.x.y object
# Hosts PARTNER #List
the PARTNERHosts object-group network
network-host 10.2.a.b object
###ACL for NAT
# Many - to - many outgoing
access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts
# One - to - many incoming
VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group
# #NAT
NAT (INSIDE) 2-list of access NAT2
NAT (OUTSIDE) 2 172.20.n.0
NAT (INSIDE) 3 access-list VIH3
NAT (OUTSIDE) 3 172.20.n.1
# #ACL for VPN
access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group
access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list
# #Tunnel
tunnel-group
type ipsec-l2l card
<#>crypto is the VPN address card crypto
<#>the value transform-set VPN #>card
<#>crypto defined peer #> #>I realize that the ACL for the VPN should read:
access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list
access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list
.. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.
What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?
Thanks in advance.
Patrick
Here is the order of operations for NAT on the firewall:
1 nat 0-list of access (free from nat)
2. match the existing xlates
3. match the static controls
a. static NAT with no access list
b. static PAT with no access list
4. match orders nat
a. nat [id] access-list (first match)
b. nat [id] [address] [mask] (best match)
i. If the ID is 0, create an xlate identity
II. use global pool for dynamic NAT
III. use global dynamic pool for PAT
If you can try
(1) a static NAT with an access list that will have priority on instruction of dynamic NAT
(2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.
I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.
Jon
-
Rule of NAT for vpn access... ?
Hey, putting in place the vpn ssl via the client Anyconnect on a new ASA 5510, ASA ASDM 6.4.5 8.4.2.
I am able to 'connect' through the anyconnect client, & I am assigned an ip address from the pool of vpn that I created, but I can't ping or you connect to internal servers.
I think that I have configured the split tunneling ok following the guide below, I can browse the web nice & quickly while connected to the vpn but just can't find anything whatsoever on the internal network.
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080975e83.shtml
I suspect her stockings for a nat rule, but I am a bit stuck if it should be a rule of nat object network or if it must be dynamic/static & if its between the external interface or external ip & network inside or the VPN (I created the pool on a different subnet), or a 'Beach' (but then I am getting overlapping ip errors when I try to create a rule for a range of IP addresses.
Any advice appreciated,
Hi Eunson,
After have connected you to the ASA that clients receive an IP address, let's say 192.168.10.0/24 pool, the network behind the ASA is 192.168.20.0/24.
On the SAA, you would need an NAT exemption for 192.168.20.0 to 192.168.10.0
Create two groups of objects, for pool VPN and your itnernal LAN.
object-group network object - 192.168.20.0
object-network 192.168.20.0 255.255.255.0
object-group network object - 192.168.10.0
object-network 192.168.10.0 255.255.255.0
NAT (inside, outside) 1 source static object - 192.168.20.0 object - 192.168.20.0 destination static object - 192.168.10.0 object - 192.168.10.0 non-proxy-arp-search to itinerary
At the inside = interface behind which is your LOCAL lan
Outside = the interface on which the Clients connect.
If you can't still access then you can take the shot on the inside interface,
create and acl
access-list allowed test123 ip host x.x.x.x y.y.y.y host
access-list allowed test123 ip host host x.x.x.x y.y.y.y
interface test123 captures inside test123 access list
view Cape test123
It will show if the packages are extinguished inside the interface and if we see that the answers or not. If we have all the answers, this means that there might be a routing on the internal LAN problem as devices know may not be not to carry the traffic of 192.168.10.0 return to the ASA inside the interface.
Or maybe it's that there is a firewall drop packets on your internal LAN.
HTH
-
NAT before VPN - ASA L2L 8.3?
Hello
I have the following scenario: -.
A net - network 172.20.82.0/24 (under my control)
B ' net - network audience (beyond my control)
I have a lot of servers on the Net (172.20.82.0/24) network I would PAT behind a public IP address before it is sent over a virtual private network to the remote site (Net (B). By some read far quickly, my understanding is that I'm going to need to: -.
(a) conduct an "indoor/outdoor" PAT on the Net 'interesting' traffic to my address of PAT Public front I then...
(b) apply the new address Public PAT crypto and ACL "NAT 0".
i.e.
one)
access-list allowed NET_A_PAT 172.20.82.0 255.255.255.0 NET_B_NETWORK NET_B_NETMASK
NAT (inside) 20 access-list NET_A_PAT
MY_PUBLIC_PAT overall, 20 (outdoor)
then (b)
NO_NAT list extended access permit ip host MY_PUBLIC_PAT NET_B_NETWORK NET_B_NETMASK
CRYPTO_MAP list extended access permit ip host MY_PUBLIC_PAT NET_B_NETWORK NET_B_NETMASK
First question is - is it good? I think it is, but I'm just wanting clarification.
Second question is: I is also launching a 'standard' CARESS on the 'outside' of the SAA for internet traffic normal (Internet) interface - navigation etc. If I play a PAT inside and outside as shown above, not then try and pass packets encrypted using my 'new' PAT instead of the IP Address of the remote VPN endpoint interface? Or take it to process my first PAT crypto then re - wrap by using the 'real' outside interface IP PAT?
Hope I'm reasonably clear - thanks in advance.
(a) correct
(b) in part reason, crypto ACL is correct, however, you don't need NAT 0 ACL like you do a PAT.
Second question - no, PAT comes first, then it will encrypt the packet with the IP Address of the interface that is the VPN endpoint.
-
Routing over VPN between ISA550W and RV215W
Hello all I have a problem with the VPN between my two office
I have an ISA550W at the head office (chcnorth)
I have a RV215W to the remote desktop (chcsouth)
the VPN is up and running, I can connect from Headquarters to remote control (chcsouth-RV215W)
and vice versa however when client computers on the remote end are trying to connect to the
Main office to access the database, they can't.
the problem started last week I received a call from the remote desktop that they can connect to our database
on the main office, I tried to connect remotely to see what was going on, it turns out that the router has completely put back
at the plant, including the firmware
I reinstalled the latest firmware for the RV215W of installation all connections as they were, I could
get VPN to connect, I can ping to the interface of the RV215W from my seat and I ping the ISA550W
the remote desktop, however my remote clients still cannot access my server at the main office
I realized after I have everything set up, I had a backup of my original installation and thinking I had
just missed something I restored it to the firmware to factory upgraded to power and restored the backup of the
RV215W I've had. still no dice
So I am now at a loss, there were no other changes to the network on both ends, I've been on this som my eyes several times
are blurred,
any ideas, workarounds for solutions would be greatly appreciated
Thanks in advance
John G
John,
It doesn't look like your question is more DNS related, as you can access the server by its IP address if the "connection" allows you to set up this way. It is quite common, that you cannot resolve names through the tunnel because netbios broadcasts will not pass. The RV215W have shared DNS within the parameters of the tunnel, so this isn't an option more.
If the "connection" is a PC, you can work around this by editing the LMHOSTS file. Please see the following instructions:
http://www.JakeLudington.com/Windows_7/20100924_how_to_edit_windows_7_lmhosts_file.html
In your case, it might look more at:
192.168.1.200 sqlsvr
Now if you ping or try to access sqlsvr from the computer, it will automatically know that it should go to 192.168.1.200 without having to find the IP address.
Answer please if you have any questions.
-Marty
-
Hello friends
I m noob with firewall and I create a VPN site-to-site with a customer with the tracking information:
My site:
10.204.x.x/24
10.69.0.0/24
others
Customer site:
172.30.20.0/24
But my site 10.69.0.0 network is an internal network of the client, that they asked me to do a NAT when the network 10.69.0.0 will 172.30.20.0 them must go out with the IP 172.30.100.0.
Anyone know what can make it work configurations?
Thank you
Marcio,
You can use a political static NAT:
network of the LAN object - 10.69.0.0
subnet 10.69.0.0 255.255.x.x
network object obj - 172.30.100.0_nat
172.30.100.0 subnet 255.255.255.0
network object obj - 172.30.20.0
172.30.20.0 subnet 255.255.255.0
NAT (inside, outside) source static LAN - 10.69.0.0 obj - 172.30.100.0_nat destination static obj - 172.30.20.0 obj - 172.30.20.0
-JP-
-
Help without NAT and VPN Config DMZ.
Before VPN, we miss with 'nonatdmz '. Recently, we tried to implement the solution VPN using "VPNRA".
ASA IOS would only you are using a "NAT 0" at a time, how do you get around that.
TIA
nonatdmz list of allowed ip extended access any 192.168.100.0 255.255.255.0
NAT (inside) 0-list of access nonatdmz
Access extensive list ip 172.0.0.0 VPNRA allow 255.0.0.0 10.17.70.0 255.255.255.0
NAT (inside) 0-list of access VPNRA
You can add several lines to you nonatdmz access-list: for example:
nonatdmz list of allowed ip extended access any 192.168.100.0 255.255.255.0
access extensive list ip 172.0.0.0 nonatdmz allow 255.0.0.0 10.17.70.0 255.255.255.0
NAT (inside) 0-list of access nonatdmz
-
Static NAT enable VPN site-to-site.
Hello
We plan to build VPN site to site, but, we have a single public routerable internet IP address to assign VPN on Site A, but Site B is ok.
in this case, I think that we must use static NAT on the router, the simple diagram is as below.
internal a subnet - router VPN - router for Internet of the Site - to - VPN - B B Site internal subnet.
the final goal is to make the communication between internal a subnet and subnet B on IPSEC tunnel.
OK, as I said, Site A having a public IP address, then it must use the static NAT and need to apply on the Site router.
Router
interface x/x
Head of ESCR to the internet
NAT outside IP
!
interface x/x
Head of DESC to internal (VPN)
IP nat inside
!
IP nat inside source static (like IP address x.x.x.x) public (as private VPN interface IP x.x.x.x)
so, wouldn't be work without any problem? I think it will work, but I would find other one just in case.
Hey,.
Is that what you try to achieve:
subnet A - A = vpn router = router B - Sub-B network
and you need communicate between Subnet A and subnet via ipsec vpn b?
Concerning
Maybe you are looking for
-
Satellite P200-1ED - wireless issue
Hey guys,. I hope that I write in the right forum! I had my * Satellite P200-1ED * for a while now and he used to work on the internet very well. However these last weeks I tried to sort, because it is quite frustrating not being able to go on the in
-
A message appears on the screen during post ' game of factorycontrolcommand: 5 ' active Pxe boot, wwan another mode. That means, how I fix it please help! I disabled pxe boot option in the bios, but it does not help!
-
Significant digits in the data file
Is there a way to change the digits in a LVM data file? I use "write into the file of measures."
-
How to create a type of "alarm" based on data time and acquired sensor system?
Hi all I am relatively new to LabVIEW and have managed to create a VI that reads the data from the sensors voltage. Each sensor outputs 2 voltage values and I treat these values in the form of 2 different values DBL. I would like to be able to reco
-
can I use the Internet to transfer files fron an old computer to a new pc?
My old XP pc cannot write on DVDs more. Buy a new Windows 7 PC. Can I use the web to transfer my files from the old to the new PC?