PIX v6.3 Site-to-Site with policy NAT

Hi guys,.

I need to set up a site to site with nat because we have overlapping subnet at the other end.

They need access to both servers on our network with IP static.

Site A: 192.168.100.0/24

Site b: 192.168.200.128/25

The other site has chosen this network for NAT: 10.200.50.0/28

I need to translate

192.168.100.10 > 10.200.50.2

192.168.100.20 > 10.200.50.3

through the tunnel

That's what I've done so far, will this work? Any problem that may appear with this config?

Crypto ACL:

VPN ip 10.200.50.0 access list allow 255.255.255.240 192.168.200.128 255.255.255.128

Policy_NAT1 list of allowed access host ip of 192.168.100.10 192.168.200.128 255.255.255.128

Policy_NAT2 list of allowed access host ip 192.168.100.20 192.168.200.128 255.255.255.128

NAT (inside) 10 access-list Policy_NAT1 0 0

NAT (inside) 11 access-list Policy_NAT2 0 0

overall 10 10.200.50.2 (outside)

Overall 11 10.200.50.3 (outside)

Thanks in advance!

Hello

Your configuration looks very good.

Although I guess it's a dynamic configuration policy NAT/PAT.

Incase you want to configure static policy NAT, you need to change a bit. I mean if you wanted a NAT configuration allowing to form bidirectional connection. Both from your site to the remote site and the remote site to your side. You can always use the same ACL you have configured, but you would use the "static" configurations.

public static 10.200.50.2 (inside, outside) - Policy_NAT1 access list

public static 10.200.50.3 (inside, outside) - Policy_NAT2 access list

Review with the static NAT to politics and the dynamic policy NAT/PAT which would be if these hosts have static NAT configured at the direction of the 'outside' interface while static NAT would cancel both of these configurations.

If you use the political dynamic NAT and had also a static NAT for the host, then you would have to change from the above static NAT in a policy to override the static NAT.

And with the foregoing in mind possible existing static NAT and new static NAT of policy might have some problems as a whole. In this case the scheduling of NAT rules would determine if static NAT of the policy has been applied already. If you already had the configured static NAT then it would nullify the political new static NAT:. The solution would be to remove the static NAT and enter it again. This would move the static NAT once the static NAT to policy in the order that they appear on the CLI format configuration and, therefore, static political NAT would work for the specified destination and addresses the static NAT for all other destination addresses.

Hope I made any sense

Feel free to ask more if necessary while

-Jouni

Tags: Cisco Security

Similar Questions

ASA VPN Site to Site (WITH the NAT) ICMP problem

Hi all!

I need traffic PAT 192.168.1.0/24 (via VPN) contact remote 151.1.1.0/24, through 192.168.123.9 router in the DMZ (see diagram)

It works with this configuration, with the exception of the ICMP.

This is the error: Deny icmp src dmz:151.1.1.1 dst foreign entrants: 192.168.123.229 (type 0, code 0)

Is there a way to do this?

Thank you all!

Marco

------------------------------------------------------------------------------------

ASA Version 8.2 (2)
!
ciscoasa hostname
domain default.domain.invalid
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
name 192.168.1.0 network-remote control
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.200.199 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
the IP 10.0.0.2 255.255.255.0
!
interface Vlan3
prior to interface Vlan1
nameif dmz
security-level 0
192.168.123.1 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
passive FTP mode
DNS server-group DefaultDNS
domain default.domain.invalid
the DM_INLINE_NETWORK_1 object-group network
object-network 151.1.1.0 255.255.255.0
object-network 192.168.200.0 255.255.255.0
outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_1 remote ip 255.255.255.0 network
inside_nat0_outbound to access extended list ip 192.168.200.0 allow 255.255.255.0 255.255.255.0 network-remote control
VPN_NAT list extended access allow remote-network ip 255.255.255.0 151.1.1.0 255.255.255.0
dmz_access_in list extended access permit icmp any one
outside_access_in list extended access permit icmp any one
pager lines 24
Enable logging
notifications of logging asdm
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all dmz
ASDM image disk0: / asdm - 625.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global (dmz) 5 192.168.123.229
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 192.168.200.0 255.255.255.0
NAT (outside) 5 VPN_NAT list of outdoor access
Access-group outside_access_in in interface outside
Access-group dmz_access_in in dmz interface
Route outside 0.0.0.0 0.0.0.0 10.0.0.100 1
Dmz route 151.1.1.0 255.255.255.0 192.168.123.9 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 0.0.0.0 0.0.0.0 inside
remote control-network http 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
card crypto outside_map 1 set peer 10.0.0.1
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
------------------------------------------------------------------------------------

Review the link, you have two ways to leave outgoing icmp, good acl or icmp inspection

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

ASA to Juniper VPN with policy NAT

I'm trying to configure a VPN tunnel between a remote site 66.18.106.160/27 and my network 192.168.190.0/24 client. I need NAT all traffic leaving 192.168.190.0/24 to 192.168.191.0/24.

Here is my current config:

xxxxx host name

domain xxxxx.local
enable the encrypted password xxxxx
XXXXX encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.190.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 207.98.218.26 255.255.255.248
!
interface Vlan3
prior to interface Vlan1
nameif DMZ
security-level 50
IP 192.168.100.1 address 255.255.255.0
!
interface Vlan12
description of interface vlan2 backup
nameif CharterBackup
security-level 0
IP 72.14.9.50 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
passive FTP mode
DNS server-group DefaultDNS
domain xxxxx.local
access-list extended 110 permit ip 192.168.190.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list extended 110 permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list extended 110 permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list extended 100 permit tcp any host 207.98.218.27 eq 3389
access-list extended 100 permit tcp any host 207.98.218.28 eq 3389
access-list extended 100 permit tcp any host 207.98.218.27 eq 9000
access-list extended 100 permit tcp any host 207.98.218.27 eq 9001
access-list extended 100 permit tcp any host 207.98.218.28 eq 9000
access-list extended 100 permit tcp any host 207.98.218.28 eq 9001
access-list standard split allow 192.168.190.0 255.255.255.0
Access extensive list ip 192.168.190.0 POLICYNAT allow 255.255.255.0 66.18.106.160 255.255.255.224
extended VPN ip 192.168.191.0 access list allow 255.255.255.0 66.18.106.160 255.255.255.224
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 DMZ
MTU 1500 CharterBackup
IP local pool vpnpool 192.168.10.75 - 192.168.10.85
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 524.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global interface (CharterBackup) 1
NAT (inside) - 0 110 access list
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (DMZ) 1 0.0.0.0 0.0.0.0
public static 192.168.191.0 (inside, outside) - POLICYNAT access list
Access-group 100 in external interface
Route outside 0.0.0.0 0.0.0.0 207.98.218.25 1 track 1
Route 0.0.0.0 CharterBackup 0.0.0.0 71.14.9.49 254
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
Enable http server
http 192.168.190.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
monitor SLA 123
type echo protocol ipIcmpEcho 4.2.2.2 outside interface
timeout of 1000
frequency 3
Annex ALS life monitor 123 to always start-time now
Crypto ipsec transform-set esp - esp-md5-hmac romanset
Crypto ipsec transform-set esp-aes - AES-128-SHA esp-sha-hmac
Crypto-map dynamic dynmap 10 transform-set romanset
romanmap card crypto 10 corresponds to the VPN address
peer set card crypto romanmap 10 66.18.99.68
card crypto romanmap 10 game of transformation-AES-128-SHA
map romanmap 65535-isakmp ipsec crypto dynamic dynmap
romanmap interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
aes encryption
sha hash
Group 2
life 86400
!
track 1 rtr 123 accessibility
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 CharterBackup
SSH timeout 5
Console timeout 0
management-access inside
dhcpd dns 8.8.8.8
dhcpd outside auto_config
!
dhcpd address 192.168.100.100 - DMZ 192.168.100.130
dhcpd enable DMZ
!

internal group xxxxx policy
attributes of the strategy group xxxxx
value of server WINS 192.168.190.3
value of server DNS 192.168.190.3
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split
tunnel-group xxxxx type ipsec-ra
tunnel-group xxxxx General attributes
address vpnpool pool
Group Policy - by default-romangroup
tunnel-group ipsec-attributes xxxxx
pre-shared-key *.
ISAKMP ikev1-user authentication no
tunnel-group 66.18.99.68 type ipsec-l2l
IPSec-attributes tunnel-group 66.18.99.68
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname

Currently, traffic that originates on 192.168.190.0/24 generates no traffic phase 1. However, if the traffic is coming in FRO the side remote (66.18.106.160/27) the tunnel arrives, but no traffic passes.

Although this isn't my area of expertise, it seems to me that my ASA is not 'see' interesting traffic from 192.168.190.0/24 will 66.18.106.160/27.

Any help you could provide would be GREATLY appreciated.

Just remove the 2 following lines:

access-list extended 110 permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224

access-list extended 110 permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224

Then 'clear xlate '.

That should solve your problem.

VPN site to Site with NAT (PIX 7.2)

Hi all

I hope for more help with config PIX. TBH I would classify myself as a newb on PIX, only dabbling in it every 6 months or so...

I have to configure a VPN site-to site between our UK and US Office, to replace our frame relay link. I have configured multiple VPN site to site on the before PIX, so am reasonably okay with the appearance of the config of who. What is a new concept for me is the needs of NAT'ing between the IPSEC tunnel.

The U.S. Agency requires us to NAT source addresses (i.e. 192.168.1.0) usable on their side address (i.e. 143.102.89.0). The tunnel must then be set to encrypt traffic between 143.102.89.0/24 and 172.24.0.0/14.

I added the following config and hoping to test it at the U.S. office happens online today.

If I Ping from 192.168.1.0 to 172.24.x.x source and run a SH NAT inside, the NAT translation seems good.

is the intellectual property inside 192.168.1.0 255.255.255.0 outside 172.24.0.0 255.252.0.0
static translation at 143.102.89.0
translate_hits = 4, untranslate_hits = 0

Could someone please go through the following lines of config and comment if there is no error?

Thank you very much

Kevin

/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

IP 143.102.89.0 allow Access-list ipsec - dallas extended 255.255.255.0 172.24.0.0 255.252.0.0

policy-nat-dallas-list of allowed extensive access ip 192.168.1.0 255.255.255.0 172.24.0.0 255.252.0.0

public static 143.102.89.0 (inside, outside) - list of access policy-nat-dallas

Crypto ipsec transform-set esp-3des esp-md5-hmac 3desmd5set

card crypto map dyn 40 correspondence address ipsec - dallas

set dyn-map 40 crypto map peer 143.101.6.141

card crypto dyn-map 40 transform-set 3desmd5set

dyn-map interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

tunnel-group 143.101.6.141 type ipsec-l2l

IPSec-attributes tunnel-group 143.101.6.141

pre-shared-key *.

You can configure NAT/Global pair for the rest of the users.

For example:

You can use the initially configured ACL:

policy-nat-dallas-list of allowed extensive access ip 192.168.1.0 255.255.255.0 172.24.0.0 255.252.0.0
NAT (inside) 1 access list policy-nat-dallas

Global 1 143.102.89.x (outside)

The static statement that you configured previously will take precedence over the above. So the printer gets statically using a NAT to 143.102.89.10, and the rest can do another ip address 143.102.89.x PATed.

Please note that for PAT, traffic can only be initiated from 192.168.1.0/24 LAN to 172.24.0.0/14, not the other way around.

Hope that helps.

Problem VPN site to Site with overlapping networks

We currently have a PIX 515E firewall as a headboard with many tunnels of site-to-site configured for her with the enpoints of PIX 506. Our internal LAN addressing scheme is 172.18.0.0 255.255.0.0. Addresses of local network in two of the remote networks with congigured VPN site-to-site are 172.18.107.0 255.255.255.224 and 172.18.107.32 255.255.255.0. Remote network access to all services on our internal network very well. We have 20 other network segments configured the same way. The 172.18.107.32.0 network needs to communicate with the 172.18.107.0 network for the services of file on the other remote PIX. Since the station PIX will not allow traffic to leave the same interface it came we thought with him we would just set up a tunnel from site to site between the two remote LAN. After the configuration of the site to another remote firewalls do not appear to try to establish tunnels when sending valuable traffic. I turned on debug for ISAKMP and nothing is either sent or received on a remote Firewall with regard to these tunnels. It's almost like since we already have a tunnel set to our 172.18.0.0 internal LAN that the remote PIX will not build specifically to 172.18.107.0 tunnel. I am able to ping each remote peer with each other and hear protection rules, but nothing has ever been established.

Is what we are trying to do possible? Sorry for the long post but the kind of a strange scenario. Thanks in advance for any help.

In what order are the numbers of seqence card crypto for configuring vpn on pix distance units? It could be that you are trying to install is a lot and will be checked later as head of pix. If this is the case, then yes the 172.18/16 road prevail the 172.18.107/24. Try to rebuild the entrance card crypto with a lower number so that traffic to 172.18.107/24 comes first.

I would like to know how it works.

Need help with the configuration of the Site with crossed on Cisco ASA5510 8.2 IPSec VPN Client (1)

Need urgent help in the configuration of the Client VPN IPSec Site with crossed on Cisco ASA5510 - 8.2 (1).

Here is the presentation:

There are two leased lines for Internet access - a route 1.1.1.1 and 2.2.2.2, the latter being the default Standard, old East for backup.

I was able to configure the Client VPN IPSec Site

(1) with access to the outside so that the internal network (172.16.0.0/24) behind the asa

(2) with Split tunnel with simultaneous assess internal LAN and Internet on the outside.

But I was not able to make the tradiotional model Hairpinng to work in this scenario.

I followed every possible suggestions made on this subject in many topics of Discussion but still no luck. Can someone help me here please?

Here is the race-Conf with Normal Client to Site IPSec VPN configured with no access boarding:

LIMITATION: Cannot boot into any other image ios for unavoidable reasons, must use 8.2 (1)

race-conf - Site VPN Customer normal work without internet access/split tunnel
: ASA Version 8.2 (1) ! ciscoasa hostname domain cisco.campus.com enable the encrypted password xxxxxxxxxxxxxx XXXXXXXXXXXXXX encrypted passwd names of ! interface GigabitEthernet0/0 nameif outside internet1 security-level 0 IP 1.1.1.1 255.255.255.240 ! interface GigabitEthernet0/1 nameif outside internet2 security-level 0 IP address 2.2.2.2 255.255.255.224 ! interface GigabitEthernet0/2 nameif dmz interface security-level 0 IP 10.0.1.1 255.255.255.0 ! interface GigabitEthernet0/3 nameif campus-lan security-level 0 IP 172.16.0.1 255.255.0.0 ! interface Management0/0 nameif CSC-MGMT security-level 100 the IP 10.0.0.4 address 255.255.255.0 ! boot system Disk0: / asa821 - k8.bin boot system Disk0: / asa843 - k8.bin passive FTP mode DNS server-group DefaultDNS domain cisco.campus.com permit same-security-traffic inter-interface permit same-security-traffic intra-interface object-group network cmps-lan the object-group CSC - ip network object-group network www-Interior object-group network www-outside object-group service tcp-80 object-group service udp-53 object-group service https object-group service pop3 object-group service smtp object-group service tcp80 object-group service http-s object-group service pop3-110 object-group service smtp25 object-group service udp53 object-group service ssh object-group service tcp-port port udp-object-group service object-group service ftp object-group service ftp - data object-group network csc1-ip object-group service all-tcp-udp access list INTERNET1-IN extended permit ip host 1.2.2.2 2.2.2.3 access-list extended SCC-OUT permit ip host 10.0.0.5 everything list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq www list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any https eq list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq ssh list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 no matter what eq ftp list of access CAMPUS-LAN extended permitted udp 172.16.0.0 255.255.0.0 no matter what eq field list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq smtp list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq pop3 access CAMPUS-wide LAN ip allowed list a whole access-list CSC - acl note scan web and mail traffic access-list CSC - acl extended permit tcp any any eq smtp access-list CSC - acl extended permit tcp any any eq pop3 access-list CSC - acl note scan web and mail traffic access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 993 access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq imap4 access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 465

race-conf - Site VPN Customer normal work without internet access/split tunnel

ASA Version 8.2 (1)

ciscoasa hostname

domain cisco.campus.com

enable the encrypted password xxxxxxxxxxxxxx

XXXXXXXXXXXXXX encrypted passwd

names of

interface GigabitEthernet0/0

nameif outside internet1

security-level 0

IP 1.1.1.1 255.255.255.240

interface GigabitEthernet0/1

nameif outside internet2

security-level 0

IP address 2.2.2.2 255.255.255.224

interface GigabitEthernet0/2

nameif dmz interface

security-level 0

IP 10.0.1.1 255.255.255.0

interface GigabitEthernet0/3

nameif campus-lan

security-level 0

IP 172.16.0.1 255.255.0.0

interface Management0/0

nameif CSC-MGMT

security-level 100

the IP 10.0.0.4 address 255.255.255.0

boot system Disk0: / asa821 - k8.bin

boot system Disk0: / asa843 - k8.bin

passive FTP mode

DNS server-group DefaultDNS

domain cisco.campus.com

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

object-group network cmps-lan

the object-group CSC - ip network

object-group network www-Interior

object-group network www-outside

object-group service tcp-80

object-group service udp-53

object-group service https

object-group service pop3

object-group service smtp

object-group service tcp80

object-group service http-s

object-group service pop3-110

object-group service smtp25

object-group service udp53

object-group service ssh

object-group service tcp-port

port udp-object-group service

object-group service ftp

object-group service ftp - data

object-group network csc1-ip

object-group service all-tcp-udp

access list INTERNET1-IN extended permit ip host 1.2.2.2 2.2.2.3

access-list extended SCC-OUT permit ip host 10.0.0.5 everything

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq www

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any https eq

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq ssh

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 no matter what eq ftp

list of access CAMPUS-LAN extended permitted udp 172.16.0.0 255.255.0.0 no matter what eq field

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq smtp

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq pop3

access CAMPUS-wide LAN ip allowed list a whole

access-list CSC - acl note scan web and mail traffic

access-list CSC - acl extended permit tcp any any eq smtp

access-list CSC - acl extended permit tcp any any eq pop3

access-list CSC - acl note scan web and mail traffic

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 993

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq imap4

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 465

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq www

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq https

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq smtp

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq pop3

access-list extended INTERNET2-IN permit ip any host 1.1.1.2

access-list sheep extended ip 172.16.0.0 allow 255.255.0.0 172.16.0.0 255.255.0.0

access list DNS-inspect extended permit tcp any any eq field

access list DNS-inspect extended permit udp any any eq field

access-list extended capin permit ip host 172.16.1.234 all

access-list extended capin permit ip host 172.16.1.52 all

access-list extended capin permit ip any host 172.16.1.52

Capin list extended access permit ip host 172.16.0.82 172.16.0.61

Capin list extended access permit ip host 172.16.0.61 172.16.0.82

access-list extended capout permit ip host 2.2.2.2 everything

access-list extended capout permit ip any host 2.2.2.2

Access campus-lan_nat0_outbound extended ip 172.16.0.0 list allow 255.255.0.0 192.168.150.0 255.255.255.0

pager lines 24

Enable logging

debug logging in buffered memory

asdm of logging of information

Internet1-outside of MTU 1500

Internet2-outside of MTU 1500

interface-dmz MTU 1500

Campus-lan of MTU 1500

MTU 1500 CSC-MGMT

IP local pool 192.168.150.2 - 192.168.150.250 mask 255.255.255.0 vpnpool1

IP check path reverse interface internet2-outside

IP check path reverse interface interface-dmz

IP check path opposite campus-lan interface

IP check path reverse interface CSC-MGMT

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 621.bin

don't allow no asdm history

ARP timeout 14400

interface of global (internet1-outside) 1

interface of global (internet2-outside) 1

NAT (campus-lan) 0-campus-lan_nat0_outbound access list

NAT (campus-lan) 1 0.0.0.0 0.0.0.0

NAT (CSC-MGMT) 1 10.0.0.5 255.255.255.255

static (CSC-MGMT, internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255

Access-group INTERNET2-IN interface internet1-outside

group-access INTERNET1-IN interface internet2-outside

group-access CAMPUS-LAN in campus-lan interface

CSC-OUT access-group in SCC-MGMT interface

Internet2-outside route 0.0.0.0 0.0.0.0 2.2.2.5 1

Route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication

AAA authentication enable LOCAL console

Enable http server

http 10.0.0.2 255.255.255.255 CSC-MGMT

http 10.0.0.8 255.255.255.255 CSC-MGMT

HTTP 1.2.2.2 255.255.255.255 internet2-outside

HTTP 1.2.2.2 255.255.255.255 internet1-outside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs set group5

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

Crypto map internet2-outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

crypto internet2-outside_map outside internet2 network interface card

Crypto ca trustpoint _SmartCallHome_ServerCA

Configure CRL

Crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy

a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

a67a897as a67a897as a67a897as a67a897as a67a897as

quit smoking

ISAKMP crypto enable internet2-outside

crypto ISAKMP policy 10

preshared authentication

aes encryption

md5 hash

Group 2

life 86400

Telnet 10.0.0.2 255.255.255.255 CSC-MGMT

Telnet 10.0.0.8 255.255.255.255 CSC-MGMT

Telnet timeout 5

SSH 1.2.3.3 255.255.255.240 internet1-outside

SSH 1.2.2.2 255.255.255.255 internet1-outside

SSH 1.2.2.2 255.255.255.255 internet2-outside

SSH timeout 5

Console timeout 0

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal VPN_TG_1 group policy

VPN_TG_1 group policy attributes

Protocol-tunnel-VPN IPSec

username ssochelpdesk encrypted password privilege 15 xxxxxxxxxxxxxx

privilege of encrypted password username administrator 15 xxxxxxxxxxxxxx

username vpnuser1 encrypted password privilege 0 xxxxxxxxxxxxxx

username vpnuser1 attributes

VPN-group-policy VPN_TG_1

type tunnel-group VPN_TG_1 remote access

attributes global-tunnel-group VPN_TG_1

address vpnpool1 pool

Group Policy - by default-VPN_TG_1

IPSec-attributes tunnel-group VPN_TG_1

pre-shared-key *.

class-map cmap-DNS

matches the access list DNS-inspect

CCS-class class-map

corresponds to the CSC - acl access list

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

CCS category

CSC help

cmap-DNS class

inspect the preset_dns_map dns

global service-policy global_policy

context of prompt hostname

Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y

: end

Adding dynamic NAT for 192.168.150.0/24 on the external interface works, or works the sysopt connection permit VPN

Please tell what to do here, to pin all of the traffic Internet from VPN Clients.

That is, that I need clients connected via VPN tunnel, when connected to the internet, should have their addresses IP NAT'ted against the address of outside internet2 network 2.2.2.2 interface, as it happens for the customers of Campus (172.16.0.0/16)

I am well aware of all involved in here, so please be elaborative in your answers. Please let me know if you need more information about this configuration to respond to my request.

Thank you & best regards

MAXS

Hello

If possible, I'd like to see that a TCP connection attempt (e.g. http://www.google.com) in the ASDM logging of the VPN Client when you set up the dynamic NAT for the VPN Pool also.

I'll try also the command "packet - trace" on the SAA, while the VPN Client is connected to the ASA.

The command format is

packet-tracer intput tcp

That should tell what the SAA for this kind of package entering its "input" interface

Still can not see something wrong with the configuration (other than the statement of "nat" missing Dynamics PAT)

-Jouni

Site to Site with the subnets overlap

Hi all

Search for comfirmation on what is / is not possible. In short, we have a requirement of site but our local LAN varies from conflict. I am aware of how this get up and running with the help of a pool of IP addresses that is a basic ASA/IOS device can NAT behind but I wonder if it is possible to NAT behind a single IP address. NAT is also in place for the general internet traffic, but I hope that the image attached best describes our scenario.

Any help / advice appreciated.

Kind regards

Martyn

Hello

You will need to do NAT on both ends to get the installation work.

With these types of configurations, I more often just a 24 natted network to 24 another network on both sites.

You can configure one of the sites use a PAT address towards the other end, but the other end must have protected by some sort of NAT static between the hosts unique or equal to 24 networks.

If you would happen to configure both sites with a PAT translation, you couldn't really initiate connections between the site because no real host on networks 192.168.1.0/24 would have their own specific NAT IP to connect to.

So in short
- Both sites need NAT network
- Use 1:1 NAT static is between host addresses or complete networks on both sites
  - The two sites could start the connection to any host on the remote end every single host has its own IP NAT staticly assigned address
- Use of PAT for site and other NAT static 1:1 with the addresses of host or complete networks on the other site
  - Site with unique PAT IP address can connect to all hosts of remote sites, since they have staticly NAT IP addresses assigned.
  - Homepage is not able to connect to any host at his remote site that the remote site has only a PAT address facing their way.
If you had 2 ASAs with 8.2 or UNDER software your static NAT configurations could be e.g.

Basic information
- Site1: 192.168.1.0/24
- Site1 NAT: 10.10.1.0/24
- Site2: 192.168.1.0/24
- Site2 NAT: 10.10.2.0/24
Static configuration NAT of policy site1

permit L2L-VPN-POLICYNAT from the list of access ip 192.168.1.0 255.255.255.0 10.10.2.0 255.255.255.0

public static (inside, outside) 10.10.1.0 - L2L-VPN-POLICYNAT access list

Static configuration NAT of policy site2

permit L2L-VPN-POLICYNAT from the list of access ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0

public static (inside, outside) 10.10.2.0 - L2L-VPN-POLICYNAT access list

PAT configuration at each end

permit L2L-VPN-POLICYPAT from the list of access ip 192.168.1.0 255.255.255.0 10.10.x.0 255.255.255.0

Global 10.10.x.1 of xxx (outside)

NAT (inside) xxx access-list L2L-VPN-POLICYPAT

If you had 2 ASAs with 8.3 or above software your static NAT configurations could be for example (same information base)

Static configuration NAT of policy site1

the object of the LAN network

subnet 192.168.1.0 255.255.255.0

network of the LAN - NAT object

10.10.1.0 subnet 255.255.255.0

network of the REMOTE object

255.255.255.0 subnet 10.10.2.0

static (inside, outside) 1 static source LAN LAN - NAT static destination REMOTE

Static configuration NAT of policy site2

the object of the LAN network

subnet 192.168.1.0 255.255.255.0

network of the LAN - NAT object

255.255.255.0 subnet 10.10.2.0

network of the REMOTE object

10.10.1.0 subnet 255.255.255.0

static (inside, outside) 1 static source LAN LAN - NAT static destination REMOTE

PAT configuration at each end

the object of the LAN network

subnet 192.168.1.0 255.255.255.0

network of the LAN-PAT object

Home 10.10.x.1

network of the REMOTE object

10.10.x.0 subnet 255.255.255.0

static (inside, outside) 1 dynamic source LAN LAN-PAT destination static REMOTE

-Jouni

VPN site to Site with the IP address range internal Natting?

This is our real internal LAN address: 10.40.120.0/26 (internal range) and I want to translate to

Translated the address: 10.254.9.64.255.255.255.192 (Internal)

Our remote local address is: 10.254.5.64 site 255.255.255.192(Remote adresse Ip interne ajouter plage)

Based on the above parameters I did this configuration

outside_cryptomap ip 10.254.9.64 access list allow 255.255.255.192 10.254.5.64 255.255.255.192
policy-nat of ip 10.40.120.0 access list allow 255.255.255.192 10.254.5.64 255.255.255.192
public static 10.254.9.64 (inside, outside) - list of access policy-nat

I had all the phase 1 and Phase 2 required parameters and add public ip peer.

I had set up vpn by using ASDM before but this scenario is new for me, all I was wondering is there anything I need to properly configure Setup VPN

If you see TX increases but not RX which means that traffic is sent to the remote end however there is no response.

I suggest that you check with the remote end of VPN to see where is the problem. It is very probably the remote side.

How to check my site from https to the Web site with you? The warning triangle should disappear.

www.needlepointnow.com has a caution symbol triangle it's https address.
What are the steps to verify my site with firefox? Keep in mind I'm not SHE but a humble Designer. So step by step please.

This must be resolved so that our readers feel secure renewing subscriptions.

Your site is currently using TLS 1.0, which is obsolete and unsafe. You must upgrade to TLS 1.2 or later

Firefox does not display properly and is very laggy on sites with Protection DDoS CloudFlare

Since 35.0 and especially I get odd behavior on sites with CloudFlare DDoS protection.

When I open the site in a new window, it really takes a lot of time and sometimes nothing appears and gives me a blank page. and now that she just started saying 'New tab' and I can't hit refresh.

When the site loads actually after 20 attempts something, the site is lag, any action takes more than 20 seconds.

When I try to open something, I have a blank page with the URL to tabs. Whenever I try like or post anything, it delays of 15 to 20 seconds.

The site I'm trying to use with a lot of failure. http://hypixel.NET/

Anyone else having this problem?

Have you installed incredibar yourself? Do you want only it? I really think it's that slow you down.
Its a diversion ad-ware here is how to uninstall it http://malwaretips.com/blogs/remove-mystart-by-incredibar-virus/

Impossible to search once the site with firefox

I find a site with Firefox, once I'm there, I get those pop ups, even though I have a pop-up blocker on, and I can not search the site. For example, Harbor Freight tools. I get on the site and then impossible to search the site. It might be their site that's the problem, but I'm not sure. Moreover, how is it that when I download a new version of your software, all that junk happens, as the optimizer Pro, or some other stuff, I have no need. I go back and take most of it, because it of annoying and slows things down. Thank you.

Hello, just download firefox from the official site at mozilla.org - more updates are handled automatically by firefox if you don't have to download anything (you can run a check of updates of firefox > help > about firefox).

You can also run a full scan of your system with software security already in place and the various tools like the free version of malwarebytes, adwcleaner & kaspersky security scan to make sure there isn't already a kind of active malware on your system that triggers these false alerts.

Fix Firefox problems caused by malicious software

I've updated Windows 8.0 Windows 8.1, since Firefox run a bit oddly. In particular, when on the sites with lots of images like Facebook, etc.

Hello, I am writing because I have a few problems with my favorite browser after update to 8.1 Windows. Here are some details. I've updated Windows 8.0 Windows 8.1, since Firefox run a bit oddly. In particular, when on sites with lots of images like Facebook. It's as if there is some sort of effect of Flikr between the office and the images, as well as between the images and the browser (a bit like old flikering of 16-bit video games). It's not too bad, but it's a question. I tried to reset firefox and restart the computer. I have not tried a repair, and I haven't done an uninstall.

Hello, disable hardware acceleration in firefox should a restart of the application is taken into account. have you tried that too?

Please also see if there is an available update your graphics drivers ...

I can't watch videos on some Web sites with firefox. They all work with Internet Explorer. This just started happening a few days ago.

When I go on youTube and click on a video, I get a black screen with controls and an arrow of beginning in the middle. When I click on the arrow to start, no video only comes up... just the statement: "year error occurred." Please try again later. "Same thing on other sites with videos. They will not play. Another site with videos, he says that the player will not load.
I cleared the cache, cookies, downloaded the new 14 beta version of firefox, tried to download an old version of Adobe Flash Player (11). I had Firefox v13.
Nothing has changed so far. I hope someone can help with this. All these sites and videos work fine when I use Internet Explorer.

There are a few compatibility problems between the latest Flash Player (11.3) and some settings or Firefox Add-ons. Could see you if anything in this article helps you: 11.3 Flash does not load video in Firefox.

All of a sudden when I opened a Web site with a webcam, webcam is empty.

Out of the blue my sites with webcams, be they ustream or otherwise, will not leak the cam. It is empty. They fine streaming in internet explore. I read something on filters, but I don't think we've changed anything and I do not know how to find if there is a filter on or not. Here is an example of a site.

Thank you all. It took about 5 tries to install and uninstall adobe flashplayer before I find that real player is mess up and I had to pass some things on RealPlayer. I have the cams on Firefox, but cannot get them on IE. Don't want to spoil a good thing on Firefox. I think that I accepted an update on Adobe. I'll be scared to do now! Thanks again. Very useful for pointing me in the right direction. It is quite frustrating.

Have Windows 7 running on Parallels Desktop with a Mac. Get "setup.exe is not a valid Win32 application" when trying to download a program with Windows Explorer. I can download from these sites with Vista and XP with other computers.

Have Windows 7 running on Parallels Desktop with a Mac. Get "setup.exe is not a valid Win32 application" when trying to download a program with Windows Explorer. I can download from these sites with Vista and XP with other computers. Now, I can't download the programs that are supposed to solve the problem! including FoxFire

Try to download from this site:
- Firefox 8.0.x: http://www.mozilla.com/en-US/firefox/all.html

PIX v6.3 Site-to-Site with policy NAT

Similar Questions

Maybe you are looking for