PAT/NAT and VPN through a PIX

Similar Questions

• Making the NAT for VPN through L2L tunnel clients

  Hi.I has the following situation in my network. We need for users who log on our site with the VPN clients to connect to another site via a tunnel L2L. The problem is that I need NAT addresses from the pool of VPN client in another beach before going on the L2L tunnel because on the other side, we have duplication of networks.

  I tried to do NAT with little success as follows:

  ACL for pool NAT of VPN:

  Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.0.0 255.255.255.0

  Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.5.0 255.255.255.0

  NAT:

  Global 172.20.105.1 - 172.20.105.254 15 (outdoor)

  NAT (inside) 15 TEST access-list

  CRYPTO ACL:

  allowed ro access list extended LAN ip 255.255.0.0 192.168.0.0 255.255.255.0

  allowed ro access list extended LAN ip 255.255.0.0 192.168.5.0 255.255.255.0

  IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.0.0 255.255.255.0

  IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.5.0 255.255.255.0

  permit same-security-traffic intra-interface

  Am I missing something here? Something like this is possible at all?

  Thanks in advance for any help.

  We use the ASA 5510 with software version 8.0 (3) 6.

  You need nat to the outside, not the inside.

  NAT (outside) 15 TEST access-list

• NAT and VPN site-2-Site

  Hello world.

  I have question about Site 2 Site VPN and NAT.

  HQ is connected to the partner and the co-location through site to site VPN (with two different tunnels). Co-location is connected to the HQ with the site 2 site VPN.

  HQ:
  Co-location:
  Partner:

  Basically, what I want to achieve is to do the following:

  All traffic from the combination with destination partner should switch from AC and source what IP must be changed. So it seems that the traffic originated in the DMZ HQ on the side of the partner.

  How can I achieve that?

  HW: Cisco ASA

  Hello Roger,.

  The configuration you need will be on the ASA HQ.

  First configure the ASA so that it would allow the traffic to leave through the same interface it came through:

  permit same-security-traffic intra-interface

  Then, you create a nat that an IP address of this beach (it will work if the partner does not need to go to the apartment, just camp to the partner):

  policy-based-nat1 permit ip access list

  NAT () to access list policy-based-nat1

  (Global)

  That is asuming that you already have a rule of traffic interesting (crypto ACL map) allowed your DMZ for flatsharing.

  For a more specific example, see below:

  Colocation network: 192.168.1.0/24

  Network DMZ HQ: 10.10.10.0/24

  Network partner: 172.16.10.0/24

  permit same-security-traffic intra-interface

  access list policy-based-nat1 permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
  

  NAT (outdoor) 100 access list policy-based-nat1

  global (outside) 100 10.10.10.253

  vpn10 10.10.10.0 ip access list allow 255.255.255.0 172.16.10.0 255.255.255.0

  10 correspondence address vpn vpn crypto card

  If the partner needs to access the apartment so (two-way access) you may not use the DMZ network as there must be a translation from one to the other and you have the same amount of addresses to be translated you have on the apartment.

  However, it would be possible if your DMZ network is greater than the apartment (like DMZ being a 16 and colo in 24) and you can isolate a subnet just for NAT.

  Hope this helps to solve the problem.

• Access to services: conflict NAT and VPN

  Hi people!

  I encountered a problem with external access to local services of:
  (a) remote clients (port open on the side WAN)
  (b) the remote sites (through IPsec tunnels)

  Here's a topology:

  

  EXPLANATIONS

  FW1 (actually from TMG 2010) overload NAT of preforms.

  The service in question (for example tcp 9999) is published on 192.168.100.0/24 via static NAT translation, which is accessible from the network.

  HQ1 is a border router (cisco 2921). It also performs NAT overload for public addresses. (Other than cisco) Branch1 also performs NAT overload.

  All traffic between the headquarters and the remote site is allowed. The service is accessible from the remote site.

  PROBLEM

  I want to allow access to the service for an external user (remote user). I do the following configuration:

  IP nat inside source static tcp 192.168.100.2 2.2.2.2 9999 9999 extensible

  After this command remote user is able to access the service by public IP, BUT the site's users remote losing it. If I roll back with

  No nat ip inside the source static tcp 192.168.100.2 2.2.2.2 9999 9999 extensible

  then access to the remote site is restored, and remote user lose again. Seems that it is connected with the static NAT translations.

  How can I make it work in both cases of simulteniously? Both for the remote site and the remote user.

  Thank you!

  You must use a map of the route with your static NAT configuration.

  Recently answered a question for the same thing, please visit this link and if you have any questions please come back.

  https://supportforums.Cisco.com/discussion/12544291/IPSec-IP-NAT-inside-source-static

  Jon

• NAT and vpn acl

  Hello

  I have asa 5512-x

  ASA 9.1 version 2

  ASDM version 7.2 (1)

  I'm not really good with a syntax of cisco, so I use asdm

  I created a split tunnel remote ipsec vpn with cisco vpn client

  the purpose is to allow vpn for LAN traffic

  and to allow the vpn to a public Web site traffic

  so I set the two objects and added to the exemption of split tunnel (the names of the objects: 'LAN', 'Rackspace')

  access to the local network is ok, access to a Web site does not work

  I guess I have some missing nat/ACL,

  can someone explain to me please in the most simple way to do this?

  Thank you very much

  Hello

  What is subnet

  network of the NETWORK_OBJ_172.18.0.0_26 object
  255.255.255.192 subnet 172.18.0.0

  This 'nat' configuration seems strange

  NAT (LAN, WAN1) source static Tunnel VPN VPN Tunnel static destination NETWORK_OBJ_172.18.0.0_26 NETWORK_OBJ_172.18.0.0_26 non-proxy-arp-search to itinerary

  When you see that the source for the "nat" interface is 'LAN' and source networks are those configured under "Tunnel VPN" it seems to suggest that this NAT configuration transmits traffic destined to 'LAN' and 'rackspace' to the 'LAN' interface. It is naturally very good for the subnet configured under 'LAN' , but the 'rackspace' to my knowledge is located behind an external interface of the ASA correct? But I guess I really need to know this as the subnet that I mentioned at the beginning of the post (which is used in this configuration NAT too)

  What is the interface to which the VPN users connect to? WAN1 or DSL? Although the following list what the map interface Crypto is attached

  See the crypto run map

  You can also list the output of the following command

  See the establishment of performance ip local pool

  -Jouni

• Help without NAT and VPN Config DMZ.

  Before VPN, we miss with 'nonatdmz '. Recently, we tried to implement the solution VPN using "VPNRA".

  ASA IOS would only you are using a "NAT 0" at a time, how do you get around that.

  TIA

  nonatdmz list of allowed ip extended access any 192.168.100.0 255.255.255.0

  NAT (inside) 0-list of access nonatdmz

  Access extensive list ip 172.0.0.0 VPNRA allow 255.0.0.0 10.17.70.0 255.255.255.0

  NAT (inside) 0-list of access VPNRA

  You can add several lines to you nonatdmz access-list: for example:

  nonatdmz list of allowed ip extended access any 192.168.100.0 255.255.255.0

  access extensive list ip 172.0.0.0 nonatdmz allow 255.0.0.0 10.17.70.0 255.255.255.0

  NAT (inside) 0-list of access nonatdmz

• Several outbound VPN connections behind PIX-515E

  I will take a PIX-515E off-site for a provision of access internet location. I have several people behind this PIX, who will have to return to the same Office VPN. One person can VPN through the PIX very well, but if someone else tries to VPN they cannot. Once the first person has disconnected for 10 minutes, then the next person can connect. I activated the NAT - T and added fixup protocol esp-ike. What can I do it wrong? Thank you.

  fixup protocol esp-ike - allows PAT to (ESP), one tunnel.

  Please remove this correction.

  If the remote site has NAT - T enabled, then you should be able to use NAT - T and more than 1 user should be able to use behind the PIX VPN client.

  See you soon

  Gilbert

• PIX 501 NAT and PAT with a single IP address

  Using the following configuration, on my first PIX 501, I am unable to provide a server of mail to the outside world and allows inside customers to browse the Internet. :

  6.3 (5) PIX version

  interface ethernet0 car

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  enable password xxxx

  passwd xxx

  hostname fw-sam-01

  SAM domain name

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  No fixup not protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  outside access list permit tcp any host 62.x.x.109 eq smtp

  access the inside to allow tcp a whole list

  pager lines 24

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside the 62.177.x.x.x.255.248

  IP address inside 192.168.45.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  location of PDM 192.168.45.2 255.255.255.255 inside

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  public static 62.177.x.x.x.45.2 (Interior, exterior) mask subnet 255.255.255.255 0 0

  outside access-group in external interface

  group-access to the Interior in the interface inside

  Route outside 0.0.0.0 0.x.x.x.177.208.105 1

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server local LOCAL Protocol

  Enable http server

  http 192.168.45.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Telnet 192.168.45.0 255.255.255.0 inside

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd lease 3600

  dhcpd ping_timeout 750

  : end

  It is I'am using access list and groups wrong or am I wrong in PAT/NAT configuration.

  Please advise...

  Hello

  I went through the ongoing discussion. The pix configuration should be fine for now according to suggestions. The problems seems to be on the server. If it is a new installation of windows, then there is an option not to accept requests that are not local network.

  If you want to check if pix allows connections and then when you telnet to port 25 of the outside, just run the xlates control.

  SH xlate and it should show you a translation for the inside host. More than a quick test if pix allows traffic is to check 'sho-outdoor access list' and see if the counters are increasing.

  Hopefully this should help you.

  Arun S.

• VPN through NAT

  Hello

  I configured a PIX (6.3) for (4.0.2) VPN clients. When I try to connect using a dial-up connection, I am able to connect, but using a NAT (through a router) I stay connected but cannot access all the servers. It shows the decryption of zero packets.

  Is their something I need to do on PIX? I'm using IPSEC.

  Help, please.

  NAT, or more precisely of PAT, will usually break an IPSec connection. Fortunately, there is a new standard called NAT - T that has each end detect that they are going through a NAT/PAT device, and if so, they'll wrap everything in UDP packets, which can then be NAT correctly.

  The customer has of this feature is automatically enabled. On the PIX to put on with the command:

  > isakmp nat-traversal

  See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1027312 for more details.

• PAT on IPSEC VPN (Pix 501)

  Hello

  I work to connect a PIX 501 VPN for a 3rd party hub 3015. The hub requires all traffic to come from a single source IP address. This IP address is assigned to me as z.z.z.z. I have successfully built the VPN and tested by mapping staticly internal IP with the IP address assigned, but cannot get the orders right to do with PAT in order to have more than one computer on the subnet 10.x.x.0. This Pix is also a backup for internet routing and NAT work currently as well for this.

  I can redirect traffic to my subnet to the remote subnet via the VPN, but I can't seem to get the right stuff PAT to the VPN using the assigned IP address. If anyone can give me some advice that would be great.

  lines of current config interesting configuration with static mapping:

  --------------------------------------------------------------------------

  access-list 101 permit ip 10.0.0.0 255.255.255.0 y.y.y.0 255.255.255.0

  access-list 102 permit ip y.y.y.0 255.255.255.0 z.z.z.z host

  access-list 103 allow host ip y.y.y.0 255.255.255.0 z.z.z.z

  IP address outside w.w.w.1 255.255.255.248

  IP address inside 10.0.0.1 255.255.255.0

  Global 1 interface (outside)

  NAT (inside) - 0 102 access list

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  public static z.z.z.z (Interior, exterior) 10.x.x.50 netmask 255.255.255.255 0 0

  Route outside 0.0.0.0 0.0.0.0 w.w.w.2 1

  correspondence address card crypto mymap 10 103

  mymap outside crypto map interface

  ISAKMP allows outside

  Thank you!

  Dave

  Dave,

  (1) get rid of static electricity. Use more Global/NAT. The static method will create a permanent

  translation for your guests inside and they will always be this way natted. Use

  NAT of politics, on the contrary, as shown here:

  not static (inside, outside) z.z.z.z 10.x.x.50 netmask 255.255.255.255 0 0

  Global (outside) 2 z.z.z.z netmask 255.255.255.255

  (Inside) NAT 2-list of access 101

  (2) the statement, "nat (inside) access 0 2' list will prevent nat of your valuable traffic."

  Delete this because you need to nat 2 nat/global card. (as a general rule, simply you

  If you terminate VPN clients on your device and do not want inside the traffic which

  is intended for the vpn clients to be natted on the external interface).

  (3) with the instructions of Global/nat 2, all traffic destined for the remote network will be first

  translated into z.z.z.z. Then your card crypto using the ACL 103 will encrypt all traffic which

  sources of z.z.z.z for y.y.y.0 24. This translation wil happen only when traffic is destined for the vpn.

  I hope this helps. I have this work on many tunnels as you describe.

  Jamison

• PAT and VPN

  Hello

  I have a question, currently I have configured 10 servers PAT against a public IP (x.x.x.x) in ASA. Now I need to configure a few VPN tunnels with the customers and I want this tunnel encryption IP x.x.x.x public IP domain, which is natted against these IP 10. Is this possible? If so, how?

  Traffic that goes out of tunnels, would be of any one of these 10 servers for external clients.

  Thank you

  Pawan

  I mean that you have usually to NAT the traffic that goes through the tunnel because you don't need these addresses to be public.

  If you a reason you need NAT/Pat, then you can set it up like that.

  Here is an example:

  A Local network 10.1.1.0/24 site

  Site A PAT address: 200.1.1.1

  Site b: local area network: 10.2.2.0/24

  Site b: public IP address: 200.2.2.1

  So, normally, you avoid NATing VPN traffic communication and between sites of 10.1.1.0/24 to 10.2.2.0/24

  In this case if you want to PAT the traffic, then you do the following:

  Site A:

  NAT (inside) 1 10.1.1.0 255.255.255.0

  Global 1 interface (outside)

  list of allowed VPN ip 200.1.1.1 host Access 10.2.2.0 255.255.255.0--> it's the ACL crypto

  You must make sure that there is no nat 0 for that traffic.

  In this case, when traffic goes to 10.1.1.0/24 to 10.2.2.0/24, the traffic will get PATed encrypted and sent through the tunnel.

  Only Site A may initiate the VPN tunnel.

  Federico.

• Router vpn site to site PIX and vpn client

  I have two on one interface on the pix vpn connections that terminate VPN. client vpn and VPN site-to-site have passed phase one and two and decrypt and encrypt the packets. However as in another post I can not ping through the l2l vpn. I checked this isn't a nat problem a nd two NAT 0 on the pix and the NAT on the router access lists work correctly.

  ISAKMP crypto RTR #show its
  IPv4 Crypto ISAKMP Security Association
  status of DST CBC State conn-id slot
  66.x.x.x 89.x.x.x QM_IDLE 2001 0 ACTIVE

  IPv6 Crypto ISAKMP Security Association

  local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
  current_peer 66.x.x.x port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 23583, #pkts encrypt: 23583 #pkts digest: 23583
  #pkts decaps: 18236, #pkts decrypt: 18236, #pkts check: 18236
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 40, #recv errors 0

  local crypto endpt. : 89.x.x.x, remote Start crypto. : 66.x.x.x
  Path mtu 1380, ip mtu 1380, ip mtu BID Dialer0
  current outbound SPI: 0xC4BAC5E (206285918)

  SAS of the esp on arrival:
  SPI: 0xD7848FB (225986811)
  transform: aes - esp esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 3, flow_id: Motorola SEC 1.0:3, card crypto: PIX_MAP
  calendar of his: service life remaining (k/s) key: (4573083/78319)
  Size IV: 16 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xC4BAC5E (206285918)
  transform: aes - esp esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 4, flow_id: Motorola SEC 1.0:4, card crypto: PIX_MAP
  calendar of his: service life remaining (k/s) key: (4572001/78319)
  Size IV: 16 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Expand the IP NAT access list
  10 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (21396 matches)
  20 permit ip 192.168.2.0 0.0.0.255 everything (362 matches)
  Expand the IP VPN_ACCESS access list
  10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 (39724 matches)

  I looked on the internet and that it points to a routing error when packets are being encrypted and decrypted, but you can't do a ping on the binding. However when I test the connection I did not enter any of the static routes that networks are connected directly on each side of the pix and the router. any help would be a preciated as I think there's maybe something is blocking the ping to reach the internal network at the end of pix with a configured access list.

  is ping failure of the only thing between the site to site VPN? and assuming that all other traffic works fine since it decrypts and encrypts the packets.

  If it's just ping, then activate pls what follows on the PIX:

  If it is version 6.3 and below: fixup protocol icmp

  If it is version 7.0 and higher: select "inspect icmp" under your political map of the world.

  Config complete hand and on the other could help determine if it's a configuration problem or another problem.

• VPN bewtween 2 PIX - 1 behind a NAT router.

  Hello

  I created 2 PIX with a VPN tunnel between them and it worked. Small was during a test well before that of PIX has been shipped to the location where it has been implemented (with of course the new addresses IP etc.)

  Now this PIX is placed behind a Zyxel router running NAT, and the tunnel will not simply come to the top. It is never further than the State of 'mm_sa_setup '.

  I am aware that the only thing that is different from when he worked is the NAT router damn, so I should be aware of this router? I'm going nuts: 0)

  Oh and btw. I use ESP-3des-sha.

  Thanks in advance,

  Rasmus

  When you activate the NAT - T, Cisco PIX automatically opens port 4500 on all active IPSec interfaces so you should be sure that the UDP 4500 port is not blocked between two PIX.

  Kind regards

  Mehrdad

• Customer Cisco VPN through PIX

  I have a PIX 501. I would use the Cisco VPN Client through the PIX to connect to a PIX on another site. The client will connect, but there is no traffic through the connection. What can I do?

  On the remote PEER PIX, add the following line.

  ISAKMP nat-traversal 20

  sincerely

  Patrick

• How to configure NAT for Hyper-V on laptop with wifi, wired and vpn connectivity

  Me, as I suspect a lot of people, I have a laptop with WiFi connection, cable connection and VPN connection (Cisco AnyConnect), which

  also uses a virtual adapter (activated when active). I searched for some time a way to be able to move to

  Hyper-V in VirtualBox. Blocker full for me is the need for a lot of my virtual machines to be able to connect to the

  Internet through 'the connection active' in the way that VirtualBox and VMWare Workstation/Player through their NAT feature.

  I'm not a networking wait, but after looking around, can't seem to find something that is simple enough for me to configure,

  with a minimum of resources, which allows me to connect a Hyper-V virtual network via a simple NAT device adapter

  all three potential network connections - most seem to not assume that one connection out of the machine, which of course does not

  me what I want.

  Three questions:

  1. is there a Windows application available that an adapter (like loopback) internal which acts as a real NAT device to one of the surfaces

  external access via the active network connections and through the Windows Firewall and any other antivirus, components etc. for

  the road to (i.e. behaves like a "normal app" inside Windows for internet access)? It would be the best option, because it would be

  "always there" when I run virtual machines

  2. display of my lack of knowledge around this feature, don't RRAS (and I know that this is not an option "minimum contact") allow you to

  Connect an internal network adapter to several external network adapters?

  3. on the Linux/OpenBSD various base/NAT routers, are everything that allow several external adapters and who are

  relatively easy to set up (by an independent expert of the network)?

  Really, we could do with this feature for Hyper-V on the desktop, but willing to work around him, if there is a way to at least the

  use virtual machines, once it is easy to install.

  Hello

  The question is more suited in the TechNet forums. So I would say you mention the link and send the request in this forum for better support.

  http://social.technet.Microsoft.com/forums/en-us/w8itpronetworking/threads

  For any information related to Windows, feel free to get back to us. We will be happy to help you.