no nat over vpn after vpn

I have a site (my ASA) vpn to the site (provider) with a nat on the external interface device and work well. Rear (my ASA) VPN I have other site vpn (service A) for the site (my ASA) and work as well.

My problem is the traffic of my branch A provider is clearly have no nat.

My ASA

object-group network attached
object-network 192.168.1.0 255.255.255.0
object-group network provider
network-object 172.22.0.0 255.255.0.0
the allmyBranch object-group network
object-network 192.168.0.0 255.255.0.0

extended inside permit access list ip object-group reteInside-group of objects plugged
access list inside extended permit ip object-group allmyBranch-provider objects
allowed to access extensive ip list nat0_acl object-group reteInside-group of objects plugged
list of access VPN-Hots extended permitted ip object-group reteInside-group of objects plugged
list of access VPN-provider allowed extended ip outside of the provider object-group interface
list of access VPN-provider allowed extended ip object-group allmyBranch-provider objects
permit ToSupplier to access extended ip object-group allmyBranch-group of objects provider list

Global 1 interface (outside)
NAT (inside) 0-list of access nat0_acl
NAT (inside) 1 access-list ToSupplier

do you have any idea how solve it? is this possible?

Thank you

I'm glad to hear that.

If the problem is resolved and that you find it useful, if Please assess the threat and mark it as answered :-)

Thank you.

Federico.

Tags: Cisco Security

Similar Questions

  • NAT over VPN IP Pool

    Hello

    I just want to ask if it is possible to NAT pool users to remote access ip VPN to the router is outside the IP address? The router is a Cisco1841.

    Thank you!

    Patricia,

    Are you referring to Polo your RA IP pool using your external interface just like you with your LAN subnets in ip nat overload?, if so this link illustrates similar example using the road map, PLS let know us if this isn't what you're looking for and if you could perhaps develop as that is what you try to accomplish.

    http://www.Cisco.com/en/us/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

    Concerning

  • ASA 8.4 (1) source-nat over vpn site-to-site

    I'm setting up a tunnel vpn site-to-site and require nat for the local and remote side. The remote side will be nat to

    10.2.255.128/25 on their face before they reach our network, so I have to only source-nat our servers via the tunnel to them. Should I just do the static NAT, then let the whole subnet through the acl of valuable traffic as the config below? I don't think I should use twice a nat because I'm not trying to make the destination nat on the firewall. Servers with us will 10.2.255.128/25 and I would like to preserve it through the ASA.

    network of the ServerA object

    host 10.1.0.1

    NAT 10.2.255.1 static (inside, outside)

    network of the object server b

    host 10.1.0.2

    NAT 10.2.255.2 static (inside, outside)

    the object server c network

    host 10.1.0.3

    NAT 10.2.255.3 static (inside, outside)

    the LOCAL_SUBNET object-group network

    object-network 10.2.255.0 255.255.255.128

    the REMOTE_SUBNET object-group network

    object-network 10.2.255.128 255.255.255.128

    VPN_ACL list extended access permitted ip object-group LOCAL_SUBNET-group of objects REMOTE_SUBNET

    Thank you

    Your configuration is correct, but I have a few comments.  Remember that NAT occurs before the delivery of your servers will be translated into 10.2.255.2 and 10.2.255.3 and then sent through the tunnel, so your encryption field is correct.

    Is your internet firewall as well? What your servers out of the internet?  They will be translated to 10.2.255.2 and 10.2.255.3 and who will fail in internet routing is.  If these servers access the internet through the firewall, I would recommend a configuration like this for each of your servers:

    network of the ServerA_NAT object

    Home 10.2.255.1

    NAT static ServerA ServerA_NAT destination (indoor, outdoor) static source REMOTE_SUBNET REMOTE_SUBNET

    This will use destination basic NAT for traffic VPN and NAT everything to a public IP address for the internet traffic.  Of course, if this is not your internet connection firewall can do abstraction.

  • NAT over VPN Tunnel

    I have a question about how the traffic is game and in what order to a tunnel L2L. See the attached diagram. Side ASA5520 I configured the 192.168.12.0/24 NAT 10.252.43.0/24 subnet addresses as follows:

    Global (outside) 1 10.252.43.0 netmask 255.255.255.0

    NAT (inside) 1 192.168.12.0 255.255.255.0

    Now, I want to send traffic to the 192.168.12.0/24 subnet for the subnet 10.10.26.0/24 above the tunnel. Which addresses correspond to side ASA5520 of the tunnel?

    I don't know if it should be:

    to_pix525 to access extended list ip 192.168.12.0 allow 255.255.255.0 10.10.26.0 255.255.255.0

    or

    access extensive list ip 10.252.43.0 to_pix525 allow 255.255.255.0 10.10.26.0 255.255.255.0

    Thank you

    -mike

    Please change the acl on nat0inside as follows:

    nat0inside to access extended list ip 192.168.12.0 allow 255.255.255.0 10.10.26.0 255.255.255.0

    Everything else is fine.

    --

    Robet

    -Please rate the solutions.

  • Try to send all traffic over VPN

    Hello

    I have a Cisco 871 router on my home cable modem connection. I am trying to set up a VPN, and I want to send all traffic over the VPN from connected clients (no split tunnel).

    I can connect to the VPN and I can ping/access resources on my home LAN when I'm remote but access to the internet channels.

    If its possible I would have 2 Configuration of profiles according to connection 1 connection sends all traffic to the vpn and the connection on the other split tunneling but for now, I'd be happy with everything just all traffic go via the VPN.

    Here is my config.

    10.10.10.xxx is my home network inside LAN

    10.10.20.xxx is the IP range assigned when connecting to the VPN

    FastEthernet4 is my WAN interface.

    Kernel #show run
    Building configuration...

    Current configuration: 4981 bytes
    !
    version 12.4
    service configuration
    no service button
    tcp KeepAlive-component snap-in service
    a tcp-KeepAlive-quick service
    horodateurs service debug datetime localtime show-timezone msec
    Log service timestamps datetime localtime show-timezone msec
    encryption password service
    sequence numbers service
    !
    hostname-Core
    !
    boot-start-marker
    boot-end-marker
    !
    Security of authentication failure rate 3 log
    Passwords security min-length 6
    forest-meter operation of syslog messages
    no set record in buffered memory
    enable secret 5 XXXXX
    !
    AAA new-model
    !
    !
    AAA authentication login default local
    AAA authentication login ciscocp_vpn_xauth_ml_1 local
    AAA authorization exec default local
    AAA authorization ciscocp_vpn_group_ml_1 LAN
    !
    !
    AAA - the id of the joint session
    !
    Crypto pki trustpoint Core_Certificate
    enrollment selfsigned
    Serial number no
    IP address no
    crl revocation checking
    rsakeypair 512 Core_Certificate_RSAKey
    !
    !
    string Core_Certificate crypto pki certificates
    certificate self-signed 01
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    quit smoking
    dot11 syslog
    no ip source route
    !
    !
    !
    !
    IP cef
    no ip bootp Server
    name of the IP-server 75.75.75.75
    name of the IP-server 75.75.76.76
    No ipv6 cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    !
    !
    password username privilege 15 7 XXXXXXXXXXXXX XXXXXXXX
    username secret privilege 15 XXXXXXXX XXXXXXXXXXXXX 5
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    !
    crypto ISAKMP client configuration main group
    key to XXXXXXX
    DNS 75.75.75.75 75.75.76.76
    pool SDM_POOL_3
    Max-users 5
    netmask 255.255.255.0
    ISAKMP crypto ciscocp-ike-profile-1 profile
    main group identity match
    client authentication list ciscocp_vpn_xauth_ml_1
    ISAKMP authorization list ciscocp_vpn_group_ml_1
    client configuration address respond
    virtual-model 1
    !
    !
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    !
    Profile of crypto ipsec CiscoCP_Profile1
    game of transformation-ESP-3DES-SHA
    set of isakmp - profile ciscocp-ike-profile-1
    !
    !
    Crypto ctcp port 64444
    Archives
    The config log
    hidekeys
    !
    !
    synwait-time of tcp IP 10
    property intellectual ssh time 60
    property intellectual ssh authentication-2 retries
    property intellectual ssh version 1
    !
    !
    !
    Null0 interface
    no ip unreachable
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    Description $ETH - WAN$ $FW_OUTSIDE$
    address IP dhcp client id FastEthernet4
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    penetration of the IP stream
    NAT outside IP
    IP virtual-reassembly
    automatic duplex
    automatic speed
    !
    type of interface virtual-Template1 tunnel
    Description $FW_INSIDE$
    IP unnumbered FastEthernet4
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    penetration of the IP stream
    ipv4 ipsec tunnel mode
    Tunnel CiscoCP_Profile1 ipsec protection profile
    !
    interface Vlan1
    Description $FW_INSIDE$
    IP 10.10.10.1 255.255.255.0
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    penetration of the IP stream
    IP nat inside
    IP virtual-reassembly
    !
    local IP SDM_POOL_1 10.10.30.10 pool 10.10.30.15
    local IP SDM_POOL_2 10.10.10.80 pool 10.10.10.85
    local IP SDM_POOL_3 10.10.20.10 pool 10.10.20.15
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 permanent FastEthernet4
    IP http server
    access-class 2 IP http
    local IP http authentication
    no ip http secure server
    !
    !
    the IP nat inside source 1 list the interface FastEthernet4 overload
    !
    Note category of access list 1 = 2 CCP_ACL
    access-list 1 permit 10.10.5.0 0.0.0.255
    access-list 1 permit 10.10.10.0 0.0.0.255
    access-list 2 Note HTTP access class
    Note access-list category 2 CCP_ACL = 1
    access-list 2 allow 10.10.10.0 0.0.0.255
    access-list 2 refuse any
    not run cdp

    !
    !
    !
    !
    !
    control plan
    !
    connection of the banner ^ CThis is a private router and all access is controlled and connected. ^ C
    !
    Line con 0
    no activation of the modem
    telnet output transport
    line to 0
    telnet output transport
    line vty 0 4
    access-class 2
    entry ssh transport
    !
    max-task-time 5000 Planner
    Scheduler allocate 4000 1000
    Scheduler interval 500
    end

    Kernel #.

    Thanks for your help!

    Hi Joseph,.

    You need a configuration like this:

    customer pool: 10.10.20.0

    local networkbehind router: 10.10.10.0

    R (config) #ip - list extended access 101
    R (config-ext-nacl) 10.10.20.0 ip #deny 0.0.0.255 10.10.10.0 0.0.0.255
    R (config-ext-nacl) 10.10.20.0 ip #permit 0.0.0.255 any

    type of interface virtual-Template1 tunnel
    Description $FW_INSIDE$
    political IP VPN route map

    R (config) #ip - list extended access 103
    R (config-ext-nacl) #permit ip all 10.10.20.0 0.0.0.255

    R (config) #route - map allowed VPN 10
    Ip address of R #match (config-route-map) 101
    R (config-route-map) #set interface loopback1
    R (config) #route - map allowed VPN 20
    Ip address of R #match (config-route-map) 103
    R (config-route-map) #set interface loopback1

    You must now exonerated NAT for VPN traffic:

    ===================================

    R (config) #ip - 102 extended access list
    R #deny (config-ext-nacl) ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
    R (config-ext-nacl) 10.10.10.0 ip #permit 0.0.0.255 any
    R (config-ext-nacl) 10.10.20.0 ip #deny 0.0.0.255 10.10.10.0 0.0.0.255
    R (config-ext-nacl) 10.10.20.0 ip #permit 0.0.0.255 any

    overload of IP nat inside source list 102 interface FastEthernet4

    Let me know if this can help,

    See you soon,.

    Christian V

  • SIP over VPN tunnel

    We have VPN tunnel in our firewall with the other partner peer. We use ASA 5520 with IOS "asa825-k8" and ASDM version 6.4.

    our partner has several services running in this tunnel VPN, including the SIP.

    other services work very well only SIP connections cannot come.

    the question is we allowed any IP service on the inside and outside interfaces, but this topic could not come to the top.

    is - there any SIP over VPN option must be configured on ASA?

    Hello

    As you can see in the newspapers, it is denied to the inside interface.

    If you just need to allow this by opening an ACL for this traffic on port 5060.

    I would like to know if it works.

    Kind regards

    Aditya

    Please evaluate the useful messages and mark the correct answers.

  • Making the NAT for VPN through L2L tunnel clients

    Hi.I has the following situation in my network. We need for users who log on our site with the VPN clients to connect to another site via a tunnel L2L. The problem is that I need NAT addresses from the pool of VPN client in another beach before going on the L2L tunnel because on the other side, we have duplication of networks.

    I tried to do NAT with little success as follows:

    ACL for pool NAT of VPN:

    Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.0.0 255.255.255.0

    Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.5.0 255.255.255.0

    NAT:

    Global 172.20.105.1 - 172.20.105.254 15 (outdoor)

    NAT (inside) 15 TEST access-list

    CRYPTO ACL:

    allowed ro access list extended LAN ip 255.255.0.0 192.168.0.0 255.255.255.0

    allowed ro access list extended LAN ip 255.255.0.0 192.168.5.0 255.255.255.0

    IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.0.0 255.255.255.0

    IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.5.0 255.255.255.0

    permit same-security-traffic intra-interface

    Am I missing something here? Something like this is possible at all?

    Thanks in advance for any help.

    We use the ASA 5510 with software version 8.0 (3) 6.

    You need nat to the outside, not the inside.

    NAT (outside) 15 TEST access-list

  • SIP over VPN and 1.0.2.6 Firmware RV120W

    Updated 1.0.2.6 and all of a sudden devices SIP works via the VPN no longer work. Downgrade from version 1.0.1.3 and they work again. Any ideas? My guess is that some ports are blocked on the VPN in 1.0.2.6

    I thought the whole idea was that fixed bugs rather than introduce firmware ugrades.

    Suggestion for Cisco:-Zip downloads of image of the firmware, or have an upgrade process which includes a CRC check, as it at least the poor punter will have an indication if they have been damaged. I had a subtle memory problem that corrupts certain files. Download of the firmware seems to fill in correctly and you can log on OK but some menu choices resulted in a deadlock with the "Please wait... the page is loading" message. Thorough check of the file sizes revealed that the file I'm downloading in the router is different in size to those on the site, a few hundred bytes must have been corrupted during the download. But the download was normal with no indication of any errors. It's a pretty basic protection measure that should be there as a no-brainer with the router was conducting a CRC check and showing an error if it fails.

    Hello Michael,

    Maybe you have active SIP Application layer gateway. Please try to disable this SIP over VPN works great.

    Firewall--> avancΘs--> remove the checkbox of the SIP ALG.

    Thank you

    Nero - UNITED Arab Emirates

  • Policy NAT for VPN L2L

    Summary:

    We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.

    My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.

    Here is the config:

    # #List of OUR guests

    the OURHosts object-group network

    network-host 192.168.x.y object

    # Hosts PARTNER #List

    the PARTNERHosts object-group network

    network-host 10.2.a.b object

    ###ACL for NAT

    # Many - to - many outgoing

    access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts

    # One - to - many incoming

    VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group

    # #NAT

    NAT (INSIDE) 2-list of access NAT2

    NAT (OUTSIDE) 2 172.20.n.0

    NAT (INSIDE) 3 access-list VIH3

    NAT (OUTSIDE) 3 172.20.n.1

    # #ACL for VPN

    access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group

    access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list

    # #Tunnel

    tunnel-group type ipsec-l2l

    card <#>crypto is the VPN address

    card crypto <#>the value transform-set VPN

    card <#>crypto defined peer

    I realize that the ACL for the VPN should read:

    access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list

    access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list

    .. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.

    What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?

    Thanks in advance.

    Patrick

    Here is the order of operations for NAT on the firewall:

    1 nat 0-list of access (free from nat)

    2. match the existing xlates

    3. match the static controls

    a. static NAT with no access list

    b. static PAT with no access list

    4. match orders nat

    a. nat [id] access-list (first match)

    b. nat [id] [address] [mask] (best match)

    i. If the ID is 0, create an xlate identity

    II. use global pool for dynamic NAT

    III. use global dynamic pool for PAT

    If you can try

    (1) a static NAT with an access list that will have priority on instruction of dynamic NAT

    (2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.

    I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.

    Jon

  • Rule of NAT for vpn access... ?

    Hey, putting in place the vpn ssl via the client Anyconnect on a new ASA 5510, ASA ASDM 6.4.5 8.4.2.

    I am able to 'connect' through the anyconnect client, & I am assigned an ip address from the pool of vpn that I created, but I can't ping or you connect to internal servers.

    I think that I have configured the split tunneling ok following the guide below, I can browse the web nice & quickly while connected to the vpn but just can't find anything whatsoever on the internal network.

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080975e83.shtml

    I suspect her stockings for a nat rule, but I am a bit stuck if it should be a rule of nat object network or if it must be dynamic/static & if its between the external interface or external ip & network inside or the VPN (I created the pool on a different subnet), or a 'Beach' (but then I am getting overlapping ip errors when I try to create a rule for a range of IP addresses.

    Any advice appreciated,

    Hi Eunson,

    After have connected you to the ASA that clients receive an IP address, let's say 192.168.10.0/24 pool, the network behind the ASA is 192.168.20.0/24.

    On the SAA, you would need an NAT exemption for 192.168.20.0 to 192.168.10.0

    Create two groups of objects, for pool VPN and your itnernal LAN.

    object-group network object - 192.168.20.0

    object-network 192.168.20.0 255.255.255.0

    object-group network object - 192.168.10.0

    object-network 192.168.10.0 255.255.255.0

    NAT (inside, outside) 1 source static object - 192.168.20.0 object - 192.168.20.0 destination static object - 192.168.10.0 object - 192.168.10.0 non-proxy-arp-search to itinerary

    At the inside = interface behind which is your LOCAL lan

    Outside = the interface on which the Clients connect.

    If you can't still access then you can take the shot on the inside interface,

    create and acl

    access-list allowed test123 ip host x.x.x.x y.y.y.y host

    access-list allowed test123 ip host host x.x.x.x y.y.y.y

    interface test123 captures inside test123 access list

    view Cape test123

    It will show if the packages are extinguished inside the interface and if we see that the answers or not. If we have all the answers, this means that there might be a routing on the internal LAN problem as devices know may not be not to carry the traffic of 192.168.10.0 return to the ASA inside the interface.

    Or maybe it's that there is a firewall drop packets on your internal LAN.

    HTH

  • NAT before VPN - ASA L2L 8.3?

    Hello

    I have the following scenario: -.

    A net - network 172.20.82.0/24 (under my control)

    B ' net - network audience (beyond my control)

    I have a lot of servers on the Net (172.20.82.0/24) network I would PAT behind a public IP address before it is sent over a virtual private network to the remote site (Net (B). By some read far quickly, my understanding is that I'm going to need to: -.

    (a) conduct an "indoor/outdoor" PAT on the Net 'interesting' traffic to my address of PAT Public front I then...

    (b) apply the new address Public PAT crypto and ACL "NAT 0".

    i.e.

    one)

    access-list allowed NET_A_PAT 172.20.82.0 255.255.255.0 NET_B_NETWORK NET_B_NETMASK

    NAT (inside) 20 access-list NET_A_PAT

    MY_PUBLIC_PAT overall, 20 (outdoor)

    then (b)

    NO_NAT list extended access permit ip host MY_PUBLIC_PAT NET_B_NETWORK NET_B_NETMASK

    CRYPTO_MAP list extended access permit ip host MY_PUBLIC_PAT NET_B_NETWORK NET_B_NETMASK

    First question is - is it good? I think it is, but I'm just wanting clarification.

    Second question is: I is also launching a 'standard' CARESS on the 'outside' of the SAA for internet traffic normal (Internet) interface - navigation etc. If I play a PAT inside and outside as shown above, not then try and pass packets encrypted using my 'new' PAT instead of the IP Address of the remote VPN endpoint interface? Or take it to process my first PAT crypto then re - wrap by using the 'real' outside interface IP PAT?

    Hope I'm reasonably clear - thanks in advance.

    (a) correct

    (b) in part reason, crypto ACL is correct, however, you don't need NAT 0 ACL like you do a PAT.

    Second question - no, PAT comes first, then it will encrypt the packet with the IP Address of the interface that is the VPN endpoint.

  • Routing over VPN between ISA550W and RV215W

    Hello all I have a problem with the VPN between my two office

    I have an ISA550W at the head office (chcnorth)

    I have a RV215W to the remote desktop (chcsouth)

    the VPN is up and running, I can connect from Headquarters to remote control (chcsouth-RV215W)

    and vice versa however when client computers on the remote end are trying to connect to the

    Main office to access the database, they can't.

    the problem started last week I received a call from the remote desktop that they can connect to our database

    on the main office, I tried to connect remotely to see what was going on, it turns out that the router has completely put back

    at the plant, including the firmware

    I reinstalled the latest firmware for the RV215W of installation all connections as they were, I could

    get VPN to connect, I can ping to the interface of the RV215W from my seat and I ping the ISA550W

    the remote desktop, however my remote clients still cannot access my server at the main office

    I realized after I have everything set up, I had a backup of my original installation and thinking I had

    just missed something I restored it to the firmware to factory upgraded to power and restored the backup of the

    RV215W I've had. still no dice

    So I am now at a loss, there were no other changes to the network on both ends, I've been on this som my eyes several times

    are blurred,

    any ideas, workarounds for solutions would be greatly appreciated

    Thanks in advance

    John G

    John,

    It doesn't look like your question is more DNS related, as you can access the server by its IP address if the "connection" allows you to set up this way. It is quite common, that you cannot resolve names through the tunnel because netbios broadcasts will not pass. The RV215W have shared DNS within the parameters of the tunnel, so this isn't an option more.

    If the "connection" is a PC, you can work around this by editing the LMHOSTS file. Please see the following instructions:

    http://www.JakeLudington.com/Windows_7/20100924_how_to_edit_windows_7_lmhosts_file.html

    In your case, it might look more at:

    192.168.1.200 sqlsvr

    Now if you ping or try to access sqlsvr from the computer, it will automatically know that it should go to 192.168.1.200 without having to find the IP address.

    Answer please if you have any questions.

    -Marty

  • NAT with VPN

    Hello friends

    I m noob with firewall and I create a VPN site-to-site with a customer with the tracking information:

    My site:

    10.204.x.x/24

    10.69.0.0/24

    others

    Customer site:

    172.30.20.0/24

    But my site 10.69.0.0 network is an internal network of the client, that they asked me to do a NAT when the network 10.69.0.0 will 172.30.20.0 them must go out with the IP 172.30.100.0.

    Anyone know what can make it work configurations?

    Thank you

    Marcio,

    You can use a political static NAT:

    network of the LAN object - 10.69.0.0

    subnet 10.69.0.0 255.255.x.x

    network object obj - 172.30.100.0_nat

    172.30.100.0 subnet 255.255.255.0

    network object obj - 172.30.20.0

    172.30.20.0 subnet 255.255.255.0

    NAT (inside, outside) source static LAN - 10.69.0.0 obj - 172.30.100.0_nat destination static obj - 172.30.20.0 obj - 172.30.20.0

    -JP-

  • Help without NAT and VPN Config DMZ.

    Before VPN, we miss with 'nonatdmz '. Recently, we tried to implement the solution VPN using "VPNRA".

    ASA IOS would only you are using a "NAT 0" at a time, how do you get around that.

    TIA

    nonatdmz list of allowed ip extended access any 192.168.100.0 255.255.255.0

    NAT (inside) 0-list of access nonatdmz

    Access extensive list ip 172.0.0.0 VPNRA allow 255.0.0.0 10.17.70.0 255.255.255.0

    NAT (inside) 0-list of access VPNRA

    You can add several lines to you nonatdmz access-list: for example:

    nonatdmz list of allowed ip extended access any 192.168.100.0 255.255.255.0

    access extensive list ip 172.0.0.0 nonatdmz allow 255.0.0.0 10.17.70.0 255.255.255.0

    NAT (inside) 0-list of access nonatdmz

  • Static NAT enable VPN site-to-site.

    Hello

    We plan to build VPN site to site, but, we have a single public routerable internet IP address to assign VPN on Site A, but Site B is ok.

    in this case, I think that we must use static NAT on the router, the simple diagram is as below.

    internal a subnet - router VPN - router for Internet of the Site - to - VPN - B B Site internal subnet.

    the final goal is to make the communication between internal a subnet and subnet B on IPSEC tunnel.

    OK, as I said, Site A having a public IP address, then it must use the static NAT and need to apply on the Site router.

    Router

    interface x/x

    Head of ESCR to the internet

    NAT outside IP

    !

    interface x/x

    Head of DESC to internal (VPN)

    IP nat inside

    !

    IP nat inside source static (like IP address x.x.x.x) public (as private VPN interface IP x.x.x.x)

    so, wouldn't be work without any problem? I think it will work, but I would find other one just in case.

    Hey,.

    Is that what you try to achieve:

    subnet A - A = vpn router = router B - Sub-B network

    and you need communicate between Subnet A and subnet via ipsec vpn b?

    Concerning

Maybe you are looking for