On the Question of VPN S2S source NAT

Currently we have a number of implementation of VPN with various clients. We are NAT'ing range them at a 24 in our network to keep simple routing, but we seek to NAT Source our resources due to security problems. It is an example of a current virtual private network that we have configured:

outside_map crypto card 5 corresponds to the address SAMPLE_cryptomap

outside_map 5 peer set 99.99.99.99 crypto card

card crypto outside_map 5 set ikev1 transform-set ESP-3DES-MD5 SHA-ESP-3DES

card crypto outside_map 5 the value reverse-road

SAMPLE_cryptomap list extended access permitted ip object-group APP_CLIENT_Hosts-group of objects CLIENT_Hosts

NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

the APP_CLIENT_Hosts object-group network

network-object, object SITE1_APP_JCAPS_Dev_VIP

network-object, object SITE1_APP_JCAPS_Prod_VIP

network-object, object SITE2_APP_JCAPS_Dev_Host

network-object, object SITE2_APP_JCAPS_Prod_VIP

network-object, object SITE1_APP_PACS_Primary

network of the SITE1_APP_JCAPS_Dev_VIP object

Home 10.200.125.32

network of the SITE1_APP_JCAPS_Prod_VIP object

Home 10.200.120.32

network of the SITE2_APP_JCAPS_Dev_Host object

Home 10.30.15.30

network of the SITE2_APP_JCAPS_Prod_VIP object

Home 10.30.10.32

network of the SITE1_APP_PACS_Primary object

Home 10.200.10.75

network of the CLIENT_Host_1 object

host of the object-Network 192.168.15.100

network of the CLIENT_Host_2 object

host of the object-Network 192.168.15.130

network of the CLIENT_Host_3 object

host of the object-Network 192.168.15.15

network of the CLIENT_Host_1_NAT object

host of the object-Network 10.200.192.31

network of the CLIENT_Host_2_NAT object

host of the object-Network 10.200.192.32

network of the CLIENT_Host_3_NAT object

host of the object-Network 10.200.192.33

My question revolves around the Source NAT configuration. If I understand correctly, I have to configure 3 statements of NAT per NAT Source since there are three different destinations that are NAT' ed. I think I would need to add this:

network of the SITE1_APP_JCAPS_Dev_VIP_NAT object

Home 88.88.88.81

network of the SITE1_APP_JCAPS_Prod_VIP_NAT object

Home 88.88.88.82

network of the SITE2_APP_JCAPS_Dev_Host_NAT object

Home 88.88.88.83

network of the SITE2_APP_JCAPS_Prod_VIP_NAT object

Home 88.88.88.84

network of the SITE1_APP_PACS_Primary_NAT object

Home 88.88.88.85

NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

Is that correct, or is at - it an easier way to do this without having to add all statements of NAT? Moreover, any change would be to do on the access list?

Hello

To my knowledge you should not create several new instructions from NAT. You should be well just create a new Group 'object' for new addresses your source address NAT.

To better explain, take a look at your current ' object-group ' that defines your source addresses

the APP_CLIENT_Hosts object-group network

network-object, object SITE1_APP_JCAPS_Dev_VIP

network-object, object SITE1_APP_JCAPS_Prod_VIP

network-object, object SITE2_APP_JCAPS_Dev_Host

network-object, object SITE2_APP_JCAPS_Prod_VIP

network-object, object SITE1_APP_PACS_Primary

Now you can do this sets up a "object-group" that contains a NAT IP address for each of the IP addresses inside the ' object-group ' and 'object' used above. The IMPORTANT thing is that the ' object-group ' that contains the NAT IP addresses is in the SAME ORDER as the actual source addresses.

I mean, this is the first IP address is in most object - group ' will correspond to the first IP address in the newly created "object-group" for the IP NAT addresses.

As above, you can simply have the same "nat" configurations 3 as before but you change/add in the newly created "object-group"

For example, you might do the following

network of the SITE1_APP_JCAPS_Dev_VIP_NAT object

Home 88.88.88.81

network of the SITE1_APP_JCAPS_Prod_VIP_NAT object

Home 88.88.88.82

network of the SITE2_APP_JCAPS_Dev_Host_NAT object

Home 88.88.88.83

network of the SITE2_APP_JCAPS_Prod_VIP_NAT object

Home 88.88.88.84

network of the SITE1_APP_PACS_Primary_NAT object

Home 88.88.88.85

the APP_CLIENT_Hosts_NAT object-group network

network-object, object SITE1_APP_JCAPS_Dev_VIP_NAT

network-object, object SITE1_APP_JCAPS_Prod_VIP_NAT

network-object, object SITE2_APP_JCAPS_Dev_Host_NAT

network-object, object SITE2_APP_JCAPS_Prod_VIP_NAT

network-object, object SITE1_APP_PACS_Primary_NAT

Then you add the following configurations of "nat"

NAT (inside, outside) 1 static source APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

Static NAT APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT static destination CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of source route 2 (inside, outside)

NAT 3 (indoor, outdoor) static source APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

Note line numbers, we added the above commands. This allows them to enter the upper part of the ASAs NAT rules, and therefore, they will become active immediately. Without line numbers that they will only be used after when you remove the old lines.

Then you can remove the "old"

no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

This should leave you with 3 configurations "nat" who made the NAT source addresses and destination.

Naturally while you perform this change you will also have to change the ACL Crypto to match the new source NAT. This is because as all NAT is done before any VPN on the ASA. So the destination addresses are Nations United for before VPN and source addresses are translated before VPN.

If you do not want to make the changes without affecting the connections too so I suggest

Add rules to the ACL Crypto for new addresses (NAT) source. Of course, this must be done on both sides of the VPN L2L. You would still be leaving the original configurations to the Crypto ACL does not not the functioning of the L2L VPN.
Add new configurations of "nat" above without the line numbers I mentioned who mean you that they wont be used until you remove the "old".
When you are ready to be migrated to use the new IP addresses, simply remove the original "nat" configurations and the ASA will start the corresponding traffic for new "nat" configurations. Provided of course that there is no other "nat" configuration before the nine that could mess things up. This should be verified by the person making the changes.

Of course if you can afford a small cut when then changing the order in which you do things should not matter that much. In my work, that connections are usually not that critical that you can't make these changes almost at any point as it is a matter of minutes what it takes to make changes.

Hope this made sense and helped

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary.

-Jouni

Tags: Cisco Security

Similar Questions

Application of VPN S2S (with NAT)

Hello experts,

ASA (8.2) and standard Site 2 Site Internet access related configs.

Outside: 1.1.1.1/24-> peer IP VPN S2S.

Inside: Pvt subnets

Standard "Nat 0' orders and crypto ACL for our remote offices, local networks with IP whp program.

Requirement:

Need to connect the PC to external clients (3.3.3.3 & 4.4.4.4) on tcp/443 via vpn S2S on our LAN. Client only accepts only the host with public IPs.

I need NAT to my internal IP to the public IP say 1.1.1.2 and establish the VPN tunnel between 1.1.1.1-> PRi Client-side & secondary IPs (Cisco router).

(without losing connectivity to remote offices). No policy NAT work here?

ex:

My Intern: 10.0.0.0/8 and 192.168.0.0/16
Assigned IP available for NAT (some time to connect to the client only): 1.1.1.5

External client LAN IPs: 3.3.3.3 & 4.4.4.4

PAT: permit TOCLIENT object-group MYLAN object-group CUSTOMER LAN ip extended access-list

NAT (inside) 5-list of access TOCLIENT

5 1.1.1.5 (outside) global

Crypto: tcp host 1.1.1.5 allowed extended CRYPTO access list object-group CUSTOMER LAN eq 443

Outsidemap 1 crypto card matches the address CRYPTO

Customer will undertake to peer with IP 1.1.1.1 only.

Do I need a ' Nat 0' configs here?

Also, for the specifications of the phase 2, it is not transform-set options gives. Info given was

Phase2: AH: people with mobility reduced, life: 3 600 s, PFS: disabled, LZS Compression: disabled.
This works with options of the phase 2?

Thanks in advance

MS

Hello

«Existing NAT (inside) 1 & global (outside) does not interfere with NAT 5 when users try to reach the ClientLAN.»

Your inside nat index is '1', while the dynamic policy-nat is index '5 '.

"" For the phase 2 in general, we define Crypto ipsec transform-set TEST ".

Sure, the remote tunnel peers even accept transform set, everything you put up with the example below and distant homologous put the same tunnel.

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

"In this scenario, no need to define any what and just add empty transform don't set statement under card crypto?

No you need a defined transformation.

"3. If we want to limit the destination port 443, I need to use separate VPN filters?

That's right, use a vpn-filter.

"4. we have several phase 1 configs, but wanted to use AES256 & DH5 (new policy)"... for s2s, these options work fine. ""

Of course, you have set the phase 1, as required.

Thank you

Rizwan James

Inside Source NAT from the remote host and VPN from Site to Site

Hi all

I was in charge of the construction of a vpn tunnel with a firewall PIX of our business partner company and ASA of the other company of the firewall. Traffic will be A partner business users will access my company Citrix server. I want to source-pat the user traffic partner company to PIX of my business within the interface to its entry in my LAN to access my company Citrix server. The partner company will be PAT'ing their traffic from users to a single ip address - Let's say for discussion end is 65.99.100.101. There is the site to site vpn configuration, and configure nat be performed to allow this traffic in accordance with the above provisions.

I'm more concerned about the accuracy of the configuration of the domain encryption because NAT is involved in this whole upward. My goal is to NAT (of the other company company a) ip address to a routable ip address in my company network.

The fundamental question here is should I include the ip address of real source (65.99.100.101) of the company the user or IP natted (10.200.11.9) in the field of encryption.

In other words should the encryption field looks like this

OPTION A.

permit ip host 10.200.11.103 65.99.100.101

OR

OPTION B

permit ip host 10.200.11.103 10.200.11.9

I'm inclined to think it should look like OPTION A. Here's the part of MY complete SOCIETY of the VPN configuration. I've also attached a diagram illustrating this topology.

Thanks in advance,

Adil

CONFIG BELOW

------------------------------------------------

#################################################

Object-group Config:

#################################################

the COMPANY_A_NETWORK object-group network

Description company network access my company A firm Citrix

host of the object-Network 65.99.100.101

the MYCOMPANY_CITRIX_FARM object-group network

Description farm Citrix accessible Takata by Genpact

host of the object-Network 10.200.11.103

################################################

Config of encryption:

################################################

crypto ISAKMP policy 20

preshared authentication

3des encryption

sha hash

Group 2

life 86400

********************************

CRYPTO MAP

********************************

crypto Outside_map 561 card matches the address Outside_561_cryptomap

card crypto Outside_map 561 set peer 55.5.245.21

Outside_map 561 transform-set ESP-3DES-SHA crypto card game

********************************

TUNNEL GROUP

********************************

tunnel-group 55.5.245.21 type ipsec-l2l

IPSec-attributes tunnel-group 55.5.245.21

pre-shared-key * 55.5.245.21

*******************************

FIELD OF CRYPTO

*******************************

Outside_561_cryptomap list extended access permitted ip object-group MYCOMPANY_CITRIX_FARM-group of objects COMPANY_A_NETWORK

###########################################

NAT'ing

###########################################

Global (inside) 9 10.200.11.9

NAT (9 genpact_source_nat list of outdoor outdoor access)

genpact_source_nat list extended access permit ip host 65.99.100.101 all

genpact_source_nat list extended access permit ip host 65.99.100.102 all

! For not natting ip address of the Citrix server

Inside_nat0 list extended access permitted ip object-group MYCOMPANY_CITRIX_FARM-group of objects COMPANY_A_NETWORK

You must include pre - nat ip 65.99.x.x in your crypto-card, like you did.

For me, config you provided here looks good and meets your needs.

One thing, I do not see here the nat rule real 0, but there is the ACL that NAT. probably, you just forgot this rule.

65.99.100.101 #sthash.mQm0FIOM.dpuf

VPN site2site & VPN client dailin on the question of a single interface

Hello dear colleagues,

First of all, the question of information subsequently:

Setup

C2801 race

(C2801-ADVENTERPRISEK9-M), Version 12.4 (25f)

----------                                                    ----------

| Central | Di1 IP:80.153.xxx.xxx | DISTANCE | IP: 91.218.xxx.xxx

| Router | <----------------------------------------->     | Router |

-IPsec via GRE Tu1 - works | Debian |

^                                                   |          |

|                                                     ----------

|    does not work

|---------------------------------------->-------------------

| Cisco VPN | Intellectual property: all

| Customer |

-------------------

!

AAA authentication login default local activate

AAA authentication login local VPN_Users

RADIUS group AAA authorization network default authenticated if

AAA authorization VPN_Users LAN

!

AAA - the id of the joint session

iomem 20 memory size

clock timezone THIS 1

clock summer-time EST recurring last Sun Mar 02:00 last Sun Oct 03:00

IP cef

!

username myVPN secret 5

!

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

life 3600

address key crypto isakmp xauth No. 91.218.xxx.xxx

ISAKMP crypto nat keepalive 20

!

Configuration group customer isakmp crypto VPN_dialin

key

DNS 192.168.198.4

domain example.com

pool VPN

ACL VPN

Crypto isakmp VPNclient profile

match of group identity VPN_dialin

client authentication list VPN_Users

ISAKMP authorization list VPN_Users

client configuration address respond

!

Crypto ipsec security association idle time 3600

!

Crypto ipsec transform-set esp-3des esp-sha-hmac hostb-transform

transport mode

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA-LZS, hmac-sha-esp esp - aes comp-lzs

!

!

crypto dynamic-map vpn-dynamic-map 10

game of transformation-ESP ESP-AES-128-SHA-AES-128-SHA-LZS

Define VPNclient isakmp-profile

!

!

!

HostB-cryptomap 1 ipsec-isakmp crypto map

the value of 91.218.xxx.xxx peer

the transform-set hostb-transform value

PFS group2 Set

corresponds to hostb-address list

!

dynamic map crypto hostb-crytomap 65535-isakmp ipsec vpn-dynamic-map

!

!

!

!

!

!

Tunnel1 interface

bandwidth 100000

IP vrf forwarding vl199

IP 10.0.201.2 255.255.255.0

IP 1400 MTU

IP nat inside

IP virtual-reassembly

IP ospf network point

source of Dialer1 tunnel

destination 91.218.xxx.xxx tunnel

bandwidth tunnel pass 10000

bandwidth tunnel receive 50000

!

interface Dialer1

Description # PPPoE T-Online.

MTU 1492

bandwidth 50000

IP ddns update hostname it-s - dd.dyndns.org

IP ddns update it-s-dd_dyndns_org

the negotiated IP address

NAT outside IP

IP virtual-reassembly max-pumping 512

encapsulation ppp

IP tcp adjust-mss 1452

no ip mroute-cache

Dialer pool 1

Dialer idle-timeout 0

persistent Dialer

KeepAlive 20

No cdp enable

Authentication callin PPP chap Protocol

PPP chap hostname

PPP chap password 7

PPP pap sent-username password 7

PPP ipcp dns request

card crypto hostb-cryptomap

Crypto ipsec fragmentation after encryption

!

!

local pool IP VPN 192.168.196.30 192.168.196.60

IP forward-Protocol ND

IP route 0.0.0.0 0.0.0.0 Dialer1 track 1

IP route 0.0.0.0 0.0.0.0 Tunnel1 20 Track3

IP route 0.0.0.0 0.0.0.0 Dialer1 254

IP route vrf vl199 0.0.0.0 0.0.0.0 192.168.1.251

IP route vrf vl99 0.0.0.0 0.0.0.0 192.168.3.1

!

The dns server IP

!

no ip address of the http server

no ip http secure server

TCP-time translation nat IP 3600

translation of nat IP udp-timeout 600

IP nat Pat_for_192.168.198.4 192.168.198.4 pool 192.168.198.4 netmask 255.255.255.0 type

IP nat Pat_for_192.168.200.50 192.168.200.50 pool 192.168.200.50 netmask 255.255.255.0 type

IP nat inside source static 5060 udp interface 192.168.200.50 Dialer1 5060

IP nat inside source static tcp 192.168.200.51 3389 3389 Dialer1 interface

IP nat inside source static tcp 192.168.198.4 3389 interface Dialer1 3390

IP nat inside source static tcp 192.168.198.9 interface 5000 Dialer1 5000

IP nat inside source overload map route dialer1 interface Dialer1

IP nat inside interface 13001 static udp 192.168.199.3 source Dialer1 13001

IP nat inside interface 32768 static udp 192.168.179.2 source Dialer1 32768

IP nat inside source static udp 192.168.179.2 Dialer1 49152 49152 interface

IP nat inside interface 64206 static udp 192.168.179.2 source Dialer1 64206

IP nat inside source static udp 192.168.179.2 interface 7597 Dialer1 7597

IP nat inside source static tcp 192.168.179.2 9998 interface Dialer1 9998

IP nat inside source static tcp 192.168.179.2 7597 interface Dialer1 7597

IP nat inside source static tcp 192.168.179.2 64206 interface Dialer1 64206

IP nat inside source static tcp 192.168.179.2 Dialer1 49152 49152 interface

IP nat inside source static tcp 192.168.179.2 Dialer1 32768 32768 interface

IP nat inside source static tcp 192.168.198.4 interface 443 443 Dialer1

IP nat inside destination list Pat_for_192.168.198.4 pool Pat_for_192.168.198.4

IP nat inside destination list Pat_for_192.168.200.50 pool Pat_for_192.168.200.50

!

Pat_for_192.168.198.4 extended IP access list

Note = Pat_for_192.168.198.4 =-

permit tcp any any eq www

permit tcp any any eq 987

permit tcp any any eq 143

permit tcp any any eq 993

permit tcp any any eq pop3

permit tcp any any eq 995

permit tcp any any eq 587

permit tcp any any eq ftp

permit tcp any any eq ftp - data

permit tcp any any eq smtp

Pat_for_192.168.200.50 extended IP access list

Note = Pat_for_192.168.200.50 =-

allow udp everything any 10000 20000 Beach

permit tcp everything any 5222 5223 Beach

allow udp any any eq 4569

permit any any eq 5060 udp

list of IP - VPN access scope

IP 192.168.198.0 allow 0.0.0.255 192.168.196.0 0.0.0.255

permit ip host 80.153.xxx.xxx 192.168.196.0 0.0.0.255

list hostb extended IP access list

permit ip host 91.218.xxx.xxx host 80.153.xxx.xxx

permit ip host 80.153.xxx.xxx host 91.218.xxx.xxx

permit ip host 10.0.201.2 10.0.201.1

!

!

access-list 10 permit 192.168.200.6

access-list 100 permit ip 192.168.0.0 0.0.255.255 everything

access-list 100 permit ip 10.1.0.0 0.0.255.255 everything

access-list 100 permit ip 10.0.0.0 0.0.255.255 everything

access-list 101 permit ip 192.168.199.3 host everything

access-list 101 permit ip 192.168.199.4 host everything

access-list 101 permit ip 192.168.199.13 host everything

access-list 101 permit ip 192.168.199.14 host everything

access list 101 ip allow any host 204.13.162.123

access-list 103 allow ip 10.0.1.0 0.0.0.255 any

!

dialer1 allowed 10 route map

corresponds to the IP 100

match interface Dialer1

!

!

####################################################################################################

SH crypto isakmp his:

status of DST CBC State conn-id slot

91.218.xxx.xxx 80.153.xxx.xxx QM_IDLE 7 0 ACTIVE

80.153.248.167 QM_IDLE 12 0 ASSETS

######################################################################################

SH encryption session

Current state of the session crypto

Interface: Virtual-Access5

The session state: down

Peer: port of 91.218.xxx.xxx 500

FLOW IPSEC: allowed ip host 10.0.201.2 10.0.201.1

Active sAs: 0, origin: card crypto

FLOW IPSEC: allowed ip host 80.153.xxx.xxx host 91.218.xxx.xxx

Active sAs: 0, origin: card crypto

FLOW IPSEC: allowed ip host 91.218.xxx.xxx host 80.153.xxx.xxx

Active sAs: 0, origin: card crypto

Interface: Dialer1

The session state: UP-NO-IKE

Peer: port of 91.218.xxx.xxx 500

IKE SA: local 80.153.xxx.xxx/500 remote 91.218.xxx.xxx/500 inactive

FLOW IPSEC: allowed ip host 10.0.201.2 10.0.201.1

Active sAs: 0, origin: card crypto

FLOW IPSEC: allowed ip host 80.153.xxx.xxx host 91.218.xxx.xxx

Active sAs: 4, origin: card crypto

FLOW IPSEC: allowed ip host 91.218.xxx.xxx host 80.153.xxx.xxx

Active sAs: 0, origin: card crypto

Interface: Dialer1

The session state: IDLE-UP

Peer: port of 55033

ITS IKE: local 80.153.xxx.xxx/4500 distance 55033 Active

################################################################################################################################

Error message:

020932: 2 Oct 21:55:14.459 CEST: IPSEC (validate_transform_proposal): No IPSEC cryptomap is to address local 80.153.xxx.xxx

020933: 2 Oct 21:55:14.459 CEST: IPSEC (validate_proposal_request): part #1 of the proposal

(Eng. msg key.) Local INCOMING = 80.153.xxx.xxx, distance =,.

local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

remote_proxy = 192.168.196.32/255.255.255.255/0/0 (type = 1),

Protocol = ESP, transform = esp - esp-md5-hmac (Tunnel-UDP).

lifedur = 0 and 0kb in

SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 400

020934: 2 Oct 21:55:14.459 CEST: IPSEC (validate_transform_proposal): No IPSEC cryptomap is to address local 80.153.xxx.xxx

020935: 2 Oct 21:55:14.459 CEST: IPSEC (validate_proposal_request): part #1 of the proposal

(Eng. msg key.) Local INCOMING = 80.153.xxx.xxx, distance = ,.

local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

remote_proxy = 192.168.196.32/255.255.255.255/0/0 (type = 1),

Protocol = ESP, transform = null esp esp-md5-hmac (Tunnel-UDP).

lifedur = 0 and 0kb in

SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 400

#################################################################################################

I tried to understand where is my mistake, can someone help me find it?

Thank you very much

concerning
```
crypto map hostb-crytomap 65535 ipsec-isakmp dynamic vpn-dynamic-map
```
is the fault of typing in the name as in your original config?

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

Tunnel VPN L2L with NATTing will not allow traffic which will be initiated by spoke to the hub.

Traffic from internal hosts will NAT address works ok, but what speaks tests it traffic never connects.

get the 10.1.12.232 NAT host would be 172.27.63.133 and past through the VPN tunnel to 10.24.4.65 without problem. However when 10.24.4.65 tries to ping or connect to 172.27.63.133 traffic does not make inside host 10.1.12.232

ASA-1 #.
!
network object obj - 172.27.73.0
172.27.73.0 subnet 255.255.255.0
network object obj - 172.27.63.0
172.27.63.0 subnet 255.255.255.0
network object obj - 10.1.0.0
10.1.0.0 subnet 255.255.0.0
network object obj - 10.24.4.64
subnet 10.24.4.64 255.255.255.224
network object obj - 172.27.73.0 - 172.27.73.255
range 172.27.73.0 172.27.73.255
the object of the 10.0.0.0 network
subnet 10.0.0.0 255.0.0.0
network object obj - 24.173.237.212
Home 24.173.237.212
network object obj - 10.1.12.232
Home 10.1.12.232
network object obj - 172.27.63.133
Home 172.27.63.133
the DM_INLINE_NETWORK_9 object-group network
object-network 10.0.0.0 255.255.255.0
object-network 10.0.11.0 255.255.255.0
object-network 10.0.100.0 255.255.255.0
object-network 10.0.101.0 255.255.255.0
object-network 10.0.102.0 255.255.255.0
object-network 10.0.103.0 255.255.255.0
the DM_INLINE_NETWORK_16 object-group network
object-network 10.1.11.0 255.255.255.0
object-network 10.1.12.0 255.255.255.0
object-network 10.1.13.0 255.255.255.0
object-network 10.1.3.0 255.255.255.0
!
outside_1_cryptomap list extended access permitted ip object-group DM_INLINE_NETWORK_16-group of objects DM_INLINE_NETWORK_9
access extensive list ip 172.27.73.0 outside_8_cryptomap allow 255.255.255.0 10.24.4.64 255.255.255.224
access extensive list ip 172.27.63.0 outside_8_cryptomap allow 255.255.255.0 10.24.4.64 255.255.255.224
!
list of allowed outside access extended ip 10.24.4.64 255.255.255.224 172.27.63.0 255.255.255.0
list of allowed outside access extended ip 10.24.4.64 255.255.255.224 10.1.0.0 255.255.0.0
list of allowed outside access extended ip 172.27.63.0 255.255.255.0 10.1.0.0 255.255.0.0
!
NAT (inside, all) source static obj - 172.27.73.0 obj - 172.27.73.0 destination static obj - 10.24.4.64 obj - 10.24.4.64 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 172.27.63.0 obj - 172.27.63.0 destination static obj - 10.24.4.64 obj - 10.24.4.64 no-proxy-arp-search to itinerary
NAT (inside, outside) source dynamic obj - 10.66.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.70.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.96.228.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.96.229.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 192.168.5.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.75.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.11.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source static obj - 10.1.3.37 obj - 10.71.0.37 destination static obj - 50.84.209.140 obj - 50.84.209.140
NAT (inside, outside) source static obj - 10.1.3.38 obj - 10.71.0.38 destination static obj - 50.84.209.140 obj - 50.84.209.140
NAT (inside, outside) source static obj - 10.1.12.232 obj - 172.27.63.133 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.1.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
!
NAT (exterior, Interior) source static obj - 10.24.4.64 obj - 10.24.4.64 destination static obj - 172.27.63.133 obj - 10.1.12.232
NAT (outside, outside) source static obj - 10.24.4.64 obj - 10.24.4.64 destination static obj - 172.27.63.133 obj - 10.1.12.232

the object of the 10.0.0.0 network
NAT (inside, outside) dynamic obj - 24.173.237.212
!
NAT (VendorDMZ, outside) the after-service automatic source dynamic obj - 192.168.13.0 obj - 24.173.237.212
outside access-group in external interface
Route outside 0.0.0.0 0.0.0.0 24.173.237.209 1
Route inside 10.1.0.0 255.255.0.0 10.1.10.1 1
Route inside 10.2.1.0 255.255.255.248 10.1.10.1 1
!
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-DH2-esp-3des esp-sha-hmac
Crypto ipsec pmtu aging infinite - the security association
!
card crypto GEMed 8 corresponds to the address outside_8_cryptomap
card crypto GEMed 8 set peer 64.245.57.4
card crypto GEMed 8 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-MD5
GEMed outside crypto map interface
!
: end
ASA-1 #.

Hello

First of all, I would like to remove these two lines because they do nothing productive
```
nat (outside,inside) source static obj-10.24.4.64 obj-10.24.4.64 destination static obj-172.27.63.133 obj-10.1.12.232nat (outside,outside) source static obj-10.24.4.64 obj-10.24.4.64 destination static obj-172.27.63.133 obj-10.1.12.232
```
Then, I was running packet - trace to see what NAT rule actually hit you.
```
packet-tracer input inside 10.1.12.232 12345 10.24.4.65 12345
```

How to pass the traffic of a site VPN S2S by ASA to another S2S VPN site?

I have a need for hosts on separate VPN networks connected to my ASA corp to communicate among themselves. Example: Host A site 1 a need to communicate with host B on the site 2. Both sites 1 & 2 are connected via the VPN S2S. I would get every site traffic to flow through the ASA at the other site. Where should I start my configuration? NAT? ACL?

I can ping each host in the network Corp. but cannot ping from one site to the other. I set up same-security-traffic permit intra-interface and addition of NAT and rules the ACL to allow/permit 1 Site to contact Site 2. When I do a trace of package through Deputy Ministers DEPUTIES, packets are allowed to pass. I read different that tell no NAT y at - it something at the other end of the VPN to do? should NAT and ACLs rules be mirrored? Just in case, a site is an instance of MS Azure VM and the other is a 3rd party VM instance.

On the HubASA, can I set up a new card encryption that selects the Site1 Site2 traffic and protect the traffic and value her counterpart Site2 public IP or just add this selection of traffic to the existing encryption card for the existing tunnel between HubASA and Site2?

Just add this traffic to the existing encryption card.

Remember that this should be added on three routers (two hubs and there has been talk).

Site1

CRYPTO ip access list allow Site2 subnet >

CRYPTO ip access list allow subnet training3 >

CRYPTO ip access list allow subnet HUB >

Site2

CRYPTO ip access list allow Site1 subnet >

CRYPTO ip access list allow subnet training3 >

CRYPTO ip access list allow subnet HUB >

Training3

CRYPTO ip access list allow Site1 subnet >

CRYPTO ip access list allow Site2 subnet >

CRYPTO ip access list allow subnet HUB >

HUB

CRYPTO_1 ip access list allow Site1 subnet >

CRYPTO_1 ip access list allow Site1 subnet >

CRYPTO_1 ip access list allow Site1 subnet >

CRYPTO_2 ip access list allow Site2 subnet >

CRYPTO_2 ip access list allow Site2 subnet >

CRYPTO_2 ip access list allow Site2 subnet >

CRYPTO_3 ip access list allow subnet training3 >

CRYPTO_3 ip access list allow subnet training3 >

CRYPTO_3 ip access list allow subnet training3 >

Each of these ACLs is attributed to their respective crypto cards. CRYPTO_1 is assigned the site1 crypto map, CRYPTO_2 is assigned to the site2 crypto card... etc.

I hope that's clear

In addition to this, you need to configure identity NAT / NAT provides both the HUB and the spokes of sites.

--

Please do not forget to select a correct answer and rate useful posts

ASA 8.4 (1) source-nat over vpn site-to-site

I'm setting up a tunnel vpn site-to-site and require nat for the local and remote side. The remote side will be nat to

10.2.255.128/25 on their face before they reach our network, so I have to only source-nat our servers via the tunnel to them. Should I just do the static NAT, then let the whole subnet through the acl of valuable traffic as the config below? I don't think I should use twice a nat because I'm not trying to make the destination nat on the firewall. Servers with us will 10.2.255.128/25 and I would like to preserve it through the ASA.

network of the ServerA object

host 10.1.0.1

NAT 10.2.255.1 static (inside, outside)

network of the object server b

host 10.1.0.2

NAT 10.2.255.2 static (inside, outside)

the object server c network

host 10.1.0.3

NAT 10.2.255.3 static (inside, outside)

the LOCAL_SUBNET object-group network

object-network 10.2.255.0 255.255.255.128

the REMOTE_SUBNET object-group network

object-network 10.2.255.128 255.255.255.128

VPN_ACL list extended access permitted ip object-group LOCAL_SUBNET-group of objects REMOTE_SUBNET

Thank you

Your configuration is correct, but I have a few comments. Remember that NAT occurs before the delivery of your servers will be translated into 10.2.255.2 and 10.2.255.3 and then sent through the tunnel, so your encryption field is correct.

Is your internet firewall as well? What your servers out of the internet? They will be translated to 10.2.255.2 and 10.2.255.3 and who will fail in internet routing is. If these servers access the internet through the firewall, I would recommend a configuration like this for each of your servers:

network of the ServerA_NAT object

Home 10.2.255.1

NAT static ServerA ServerA_NAT destination (indoor, outdoor) static source REMOTE_SUBNET REMOTE_SUBNET

This will use destination basic NAT for traffic VPN and NAT everything to a public IP address for the internet traffic. Of course, if this is not your internet connection firewall can do abstraction.

Cisco ASA Site to Site VPN IPSEC and NAT question

Hi people,

I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

Just an example:

N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

Grateful if someone can shed some light on this subject.

Hello

OK so went with the old format of NAT configuration

It seems to me that you could do the following:
- Configure the ASA1 with static NAT strategy
  - access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  - public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
- Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
- If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
- ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
  - Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
  - the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
  - NAT (inside) 0-list of access to the INTERIOR-SHEEP
- You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
  - ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  - ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0
I could test this configuration to work tomorrow but I would like to know if it works.

Please rate if this was helpful

-Jouni

Traffic to the VPN router IOS NAT tunnel

I need to configure a VPN tunnel that NATs traffic above him. I have already established VPN tunnels and NAT traffic. I did this on a concentrator VPN and ASA, but have seen some places where people say is not possible on a router or I saw real hard evidence that it is. For example, I use a Cisco 2801 router with 12.4(8a) and advanced security. This can be quite difficult as the subnet / vlan that we need NAT needs to pass normal traffic on other VPN tunnels and using a NAT on the Internet directly. Y does it have, any restrictions on it as the IOS version, being a router itself, NAT configuration. Any help is greatly appreciated.

Hi James,

NAT VPN traffic, you can like you do with ASAs on IOS routers.

If you do, it is that you create an ACL to set traffic to be coordinated, apply the ACL to a NAT rule and a condition that NAT statement with a roadmap to occur only when the traffic will be sent through the tunnel.

Federico.

Access to the DMZ to remote sites via VPN S2S

We have an ASA 5520 and two remote site ASA 5505 that connect to each other through tunnels VPN S2S. They are doing tunneling split, while local traffic passes over the tunnel. We are local LAN (10.0.0.0/16) and our network to the DMZ (10.3.0.0/24) on the main site. The DMZ hosts our external sharepoint, but we access it internally

The problem is site A (10.1.0.0/24) and B (10.2.0.0/24) have no idea of it, and when you try to go to the site, it fails. You can access it via the external site address, but that's the only way. Normally the external address is blocked when you're an intern.

That I'm stuck on is even when we had all sent traffic from Site A to our Senior Center, would find it yet. I do a separate vpn purely tunnel that traffic to DMZ?

Yes. So if you do this in ASDM under Edit Site profile connection Site, it will look like this.

Local network: 10.0.0/16, 10.3.0.0/24

Distance: 10.1.0.0/24

The Cisco AnyConnect VPN connection host bridge/NAT comments

I think I know the answer to that, but I hope I'm wrong. I have 9 Workstation on a Windows 7 laptop, and I wonder if it is possible to get my guest VM (Windows and non-Windows (if it matters)) to have access to my VPN connection when I am connected. Preferably through NAT, if it is then connected by a bridge. I found this post where the poster indicates that you can deselect 'connect the adapter to the virtual host' and he's got to work, but this does not work for me, unless I'm missing something or it depends on the type of VPN connection or installation. I read that you can not address IPSec VPN, but I don't know what type I'm sure I can't say the AnyConnect client.
Thank you
Brian

By default the anyconnect software won't allow all connections to the VPN tunnel. So once the connection is established you can not connect to the host on the local network more.

If you do a 'route print' on the host before and after the VPN connection is established, you will find that the VPN connection has set the parameter WOG network for the lowest value which makes the default and sets a mask that blocks all other connections. You can remove the mask route to access the host on the local network, but you will not get a direct connection to the virtual machine VPN tunnel.

If you search the forum here for VPN, you can find a post about this.

The router configuration VPN VTI adding a third site/router

Hello

I currently have two cisco routers configured with a connection to a primary WAN interface and a connection to an Internet interface. I have a VPN configured using a VTI interface as a secondary path if the primary circuit WAN fails. IM also using OSPF as a dynamic routing protocol. Failover works and itineraries are exchanged. The question I have is that if I want to put a third-party router in this configuration I just add another interface tunnel with the tunnel proper Public source and destination IP and new IP addresses for a new tunnel network.
The current configuration of the VTI is below:

Any guidance would be appreciated.

Thank you

Andy

Router1_Configurtation_VTI

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

ISAKMP crypto key Cisco12345 address 0.0.0.0 0.0.0.0

Crypto IPsec transform-set esp-3des esp-sha-hmac T1

Crypto IPsec profile P1

game of transformation-T1

!

interface Tunnel0

IP 10.0.1.1 255.255.255.0

IP ospf mtu - ignore

load-interval 30

tunnel source 1.1.1.1 Internet Source * Public

2.2.2.1 tunnel * Public Destination Internet destination

ipv4 IPsec tunnel mode

profile P1 IPsec tunnel protection

!

Router2_Configuration_VTI

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

ISAKMP crypto key Cisco12345 address 0.0.0.0 0.0.0.0

Crypto IPsec transform-set esp-3des esp-sha-hmac T1

Crypto IPsec profile P1

game of transformation-T1

!

interface Tunnel0

10.0.1.2 IP address 255.255.255.0

IP ospf mtu - ignore

load-interval 30

2.2.2.1 tunnel source * Source public Internet

1.1.1.1 tunnel * Public Destination Internet destination

ipv4 IPsec tunnel mode

profile P1 IPsec tunnel protection

Since this config is configuration of keys ISAKMP using address 0.0.0.0 0.0.0.0 is not required for a new encryption key isakmp with the new address of the site. Simply configure the VTI on the new router and one or both of the existing routers.

One of the aspects of this application that should consider the original poster, that's how they want data to flow when the third-party router is implemented. With both routers, you have just a simple point-to-point connection. When you introduce the third-party router do you want one of the routers to use hub? In this case, the hub router has tunnels each remote Ray. Each remote RADIUS has a tunnel to the hub. Talk about communication talk is possible but will have to go to the hub and then out to the other remote. The other option is a mesh configuration where each router has VTI tunnel to the other router.

HTH

Rick

Traffic redirect Internet from the remote site on the main site using the tunel of vpn ipsec

Hi all

I have a problem to redirect internet traffic from my remote to the main site by the IPSEC VPN tunnel. The remote site is a Cisco 2801 router with ios (c2800nm-advipservicesk9 - mz.124 - 22.T) and the remote site has ios (C870-ADVSECURITYK9-M, Version 12.4 (15) T12, fc3 SOFTWARE VERSION). This redirect does not work and the last jump with extended traceroute form the remote site is the ip wan of the main site.

Is there someone who can help me with the right settings this redirection via VPN?

the remote site config file:

/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Tableau Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;}

crypto ISAKMP policy 8

BA 3des

md5 hash

preshared authentication

ISAKMP crypto key dgsn2010 address 41.223.X.X

!

!

Crypto ipsec transform-set esp-3des vpn

!

vpndgsn 10 ipsec-isakmp crypto map

Description at HQ

set of peer 41.223.X.X

Set transform-set vpn

match address VPNHQ

!

interface FastEthernet0

IP 41.223.X.X 255.255.255.0

NAT outside IP

IP virtual-reassembly

IP tcp adjust-mss 1300

automatic duplex

automatic speed

vpndgsn card crypto

!

interface FastEthernet 4

192.168.11.1 IP address 255.255.255.0

IP nat inside

no ip virtual-reassembly

!

IP route 0.0.0.0 0.0.0.0 41.223.X.X

VPNHQ extended IP access list

ip licensing 192.168.11.0 0.0.0.255 any

!

the main site config file:

/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Tableau Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;}

crypto ISAKMP policy 10

BA 3des

md5 hash

preshared authentication

ISAKMP crypto key dgsn2010 address 41.223.X.X

!

!

Crypto ipsec transform-set esp-3des vpn

!

vpncreo 10 ipsec-isakmp crypto map

Description FOR bastos

set of peer 41.205.X.X

Set transform-set vpn

match address 110

!

interface FastEthernet0/0

Description OF WAN

IP 41.223.X.X 255.255.255.240

NAT outside IP

IP tcp adjust-mss 1492

vpncreo card crypto

!

interface FastEthernet0/1

Description OF LAN

IP 192.168.10.1 255.255.255.0

IP nat inside

automatic duplex

automatic speed

!

overload of IP nat inside source list NAT interface FastEthernet0/0

IP route 0.0.0.0 0.0.0.0 41.223.31.241

access-list 110 permit ip any 192.168.11.0 0.0.0.255

NAT extended IP access list

deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 any

permit ip 192.168.10.0 0.0.0.255 any

ip licensing 192.168.11.0 0.0.0.255 any

!

You must configure the routing policy based closure for NAT can be invoked on the main site.

Here is an example configuration for your reference:

http://www.Cisco.com/en/us/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

Additionally, make sure that you don't do any NATing at your remote end, IE: you must configure the NAT exemption for all traffic from 192.168.11.0/24 to any (Internet).

Hope that helps.

NAT 0 using the object in OS 8.6 NAT network

Hello

I am trying to create a remote access IPSEC vpn and work for the first time with network NAT object on an architecture of 5512 X with OS 8.6. I would like to know how to create a SHEEP script with users on the other side, using an entry of 0 nat NAT so that traffic destined for subnets to the other end of the VPN are not NATTED?

Thank you

Vick.

Here you go:

For example:

LAN: 192.168.5.0/24

Remote LAN: 192.168.88.0/24

object of local-LAN

192.168.5.0 subnet 255.255.255.0

object distance-LAN network

192.168.88.0 subnet 255.255.255.0

NAT (inside, outside) static source local-LAN LAN local static destination remote control remote-LAN-LAN

Hope that helps.

Problem with website Source NAT Site policy

Dear all,

IAM facing issue with source based nat in Site-toSite VPN configuration.

We want to access the remote site server 10.67.1.5 from my main server 192.168.210.224, my 192.168.210.224 server need nat with 10.66.102.178 to go to the outside of the remote site. We have done below the configuration and VPN pahse1 and phase 2 sets up very well, but we are not able to access the remote server 10.67.1.5. Phase 2 set up and only the packages are not wrapping decapsulating. Remote site is seen VPN ending the router and the phase 1 and phase 2 implements.

There is no configured nat exemption. Appreciate urgent help to identify the problem...

We have tunnels from site to site much operational f... but not the tunnels with policy NAT

config
--------
access list acl - OR line 1 permit extended ip 192.168.210.224 host 10.67.1.5 (hitcnt = 0)
allowed to access list acl - NOR line extended to 2 ip host 10.66.102.178 10.67.1.5 (hitcnt = 2)

NAT (inside) 2 192.168.210.224 255.255.255.255
Global 2 10.66.102.178 (outside)

Crypto ipsec transform-set OR esp-3des esp-sha-hmac

card crypto ENOCMAP 22 matches the acl address - OR
card crypto ENOCMAP 22 set counterpart x.x.x.x
card crypto ENOCMAP 22 set transform-set
card crypto ENOCMAP 22 defined security-association life seconds 3600
card crypto ENOCMAP 22 set reverse-road
ENOCMAP interface card crypto outside

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.

======================================================================

12 peer IKE: x.x.x.x
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE

ENOCDC-FW03 # sh crypto ipsec his counterpart x.x.x.x
peer address: x.x.x.x
Tag crypto map: ENOCMAP, seq num: 22, local addr: x.x.x.x

access list acl - OR extended permit ip host 10.66.102.178 10.67.1.5
local ident (addr, mask, prot, port): (10.66.102.178/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (10.67.1.5/255.255.255.255/0/0)
current_peer: x.x.x.x

#pkts program: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 2, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

endpt local crypto. : x.x.x.x, remote Start crypto. : x.x.x.x

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 89BAF49F
current inbound SPI: DB36C4B6

Hello

Please try this nat statement below:

policynat list extended access allowed host ip 192.168.210.224 10.67.1.5

public static 10.66.102.178 (inside, outside) - policynat access list

Here is some reference material for policy nat - http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1088419

Thank you

Tarik Admani
* Please note the useful messages *.

On the Question of VPN S2S source NAT

Similar Questions

Maybe you are looking for