Policy overlapping NAT VPN

Hello community,

I'm going nuts here. We try to configure a NAT policy through a site to site VPN tunnel, but can't seem to turn it on. Here is our configuration:

access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list extended sheep allowed host ip 10.23.1.5 192.168.12.0 255.255.255.0

inside_nat_static list extended access allowed host ip 192.168.1.5 192.168.12.0 255.255.255.0

inside_nat_static2 list extended access permit ip host 192.168.1.5 everything

NAT (inside) 0 access-list sheep

NAT (inside) 2 192.168.1.0 255.255.255.0

public static 10.23.1.5 (inside, outside) - inside_nat_static access list

public static 63.123.4.56 (inside, outside) - inside_nat_static2 access list

The VPN part I omitted because it is correct. When we initiate a ping the tunnel arrives. The problem we have is on our side with policy NAT I think. With a ping from the remote desktop on our ASA, we see all incoming traffic, but our server does not transfer out.

Appreciate any input...

-Tom

Tom,

Sorry for the delay, I forgot you, I've just been very busy

Here's what you'll need:

First remove this (intentionally want NAT traffic not to 'sheep')

access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list extended sheep allowed host ip 10.23.1.5 192.168.12.0 255.255.255.0

Then add this to translate your outgoing traffic

access-list 199 permit host ip 192.168.1.5 192.168.12.0 255.255.255.0

public static 10.23.1.5 (inside, outside) access-list 199

Translate your inbound traffic also:

public static 192.168.12.0 (exterior, Interior) net of 192.168.1.0 255.255.255.0

Describe your crypto since translated ACL localhost translated to the remote subnet.

cryptomap list of allowed access host ip 10.23.1.5 192.168.12.0 255.255.255.0

You can remove the other line of the ACL.

Your host should access the 192.168.12.x which is translated remote network.

Try it and let me know how it goes.

Raga

Tags: Cisco Security

Similar Questions

Public static political static NAT in conflict with NAT VPN

I have a situation where I need to create a VPN site-to site between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises where the LAN behind the Cisco ASA has the same subnet an existing VPN currently created on the Sonicwall. Since the Sonicwall cannot have two VPN both run on the same subnet, the solution is to use policy NAT on the SAA as well as for the Sonicwall, the new VPN seems to have a different subnet.

The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a private network virtual created for another customer with the same subnet). I try to translate it to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The ASA relevant configuration is:

interface Vlan1

IP 192.168.10.1 255.255.255.0

access extensive list ip 192.168.24.0 outside_1_cryptomap allow 255.255.255.0 10.159.0.0 255.255.255.0

list of access VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0

public static 192.168.24.0 (inside, outside) - list of VPN access

card crypto outside_map 1 match address outside_1_cryptomap

In addition, there are other static NAT instructions and their associated ACLs that allow certain traffic through the firewall on the server, for example:

public static tcp (indoor, outdoor) interface smtp SERVER smtp netmask 255.255.255.255

The problem is this: when I enter the static strategy statement NAT, I get the message ' WARNING: real-address conflict with existing static "and then it refers to each of the static NAT statements reflecting the external address to the server. I've thought about it, and it seemed to me that the problem was that policy NAT statement must be the first statement of NAT (it is the last one) so that it is run first and all traffic destined to the VPN to the Sonicwall (destination 10.159.0.0/24) tunnel would be properly treated. If I left him as the last statement, then the other static NAT statements would prevent a part of the 10.159.0.0/24 network-bound traffic to be correctly routed through the VPN.

So, I tried first to my stated policy NAT upward in the ASDM GUI interface. However, moving the declaration was not allowed. Then I tried to delete the five static NAT statements that point to the server (an example is above) and then recreate them, hoping that would then move up the policy statement NAT. This also failed.

What Miss me?

Hello

I assumed that we could have changed the order of the 'static' , the original orders, but as it did not work for some reason any then it seems to me that you suggested or change, that I proposed should work.

I guess that your purpose was to set up static political PAT for the VPN for some these services, then static PAT of public network access, then static NAT to policy for the rest of the network in-house.

I guess you could choose any way seems best for you.

Let me know if get you it working. I always find it strange that the original configuration did not work.

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary

-Jouni

VPN overlapping NAT

Here is my config complete.

Here are a few notes

IP, obtained from the VPN 10.250.128.X

LAN IP 192.168.0.0/24

My atm VPN works #1 for those who don't

What I want to do is Nat my VPN for this

Example I want to access the computer 192.168.0.2 on the LAN of the company

I want to hit the PC (which is connected to the VPN) 192.168.200.2 and Cisco will convert 192.168.200.2 to 192.168.0.2 to be able to access my PC at work

Of course, I think about being able to do the other side also. (192.168.0.2 to 192.168.200.2 to be able to send the package back (not sure on this)

Can guys, help me, it's the ATM out of my knowledge and I

ASA Version 8.2 (1)

!

Terminal width 250

hostname hostname

turn on d0/xPtlKePBzdYTe of encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.0.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 10.0.128.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

10 speed

full duplex

!

interface Ethernet0/1

10 speed

full duplex

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system Disk0: / asa821 - k8.bin

passive FTP mode

grp_outside_in tcp service object-group

Description Ports require for internal transfer

EQ smtp port object

EQ port ssh object

access list inside-out extended ip allowed any one

access list inside-out extended permit icmp any one

permit no_nat to access extended list ip 192.168.0.0 255.255.0.0 10.250.128.0 255.255.255.0

list access tunnel extended split ip 192.168.0.0 allow 255.255.20.0 10.250.128.0 255.255.255.0

access-list extended 100 permit ip 10.250.128.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list extended 100 permit icmp 10.250.128.0 255.255.255.0 192.168.0.0 255.255.255.0

access list 101 scope ip allow a whole

access-list 101 extended allow icmp a whole

pager lines 34

Enable logging

timestamp of the record

debug logging in buffered memory

recording of debug trap

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

IP local pool mobilepool 10.250.128.100 - 10.250.128.130 mask 255.255.255.0

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 621.bin

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access no_nat

NAT (inside) 1 0.0.0.0 0.0.0.0

NAT (outside) 1 0.0.0.0 0.0.0.0

Route outside 0.0.0.0 0.0.0.0 10.0.128.2 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication

Enable http server

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-3des esp-md5-hmac floating

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto-map dynamic dyn1 1 set transform-set floating

Crypto-map dynamic dyn1 1jeu reverse-road

mobilemap 1 card crypto ipsec-isakmp dynamic dyn1

mobilemap interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 1

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH 192.168.0.0 255.255.255.0 inside

SSH 10.0.128.0 255.255.255.0 inside

SSH timeout 5

SSH version 2

Console timeout 0

dhcpd outside auto_config

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal vpn group policy

attributes of vpn group policy

VPN - 50 simultaneous connections

VPN-idle-timeout 2000

VPN-session-timeout 2000

internal mobile_policy group policy

attributes of the strategy of group mobile_policy

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value

admin N2TJh8TeuGc7EOVu encrypted privilege 15 password username

user1 gLGaPhl70GqS8DhN encrypted password username

password encrypted user user2 Y7.fXmPk3FvKUGOO name

type tunnel-group mobilegroup remote access

tunnel-group mobilegroup General-attributes

address mobilepool pool

Group Policy - by default-mobile_policy

mobilegroup group of tunnel ipsec-attributes

pre-shared-key *.

!

Global class-card class

match default-inspection-traffic

inspection of the class-map

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:012d58f20bdf997d1e7b6927431e0015

: end

Hi Mr. Gyslain,

So, if I understand, you want the following things
- Local NAT LAN 192.168.0.0/24 to 192.168.200.0/24 for VPN Client users to their local network does not overlap with your local network while they are connected
To my knowledge, you should be able to handle this with the following changes to your configurations
- Configure policy NAT
- Changes to the rules of Tunnel from Split
- Remove the existing NAT0 rule
Here are some example configurations I think that need to manage the situation. Of course make sure you have the old configuration at hand if you need to return to the old

Remove the NAT0 rule
- no nat (inside) 0-list of access no_nat
- No no_nat access ip 192.168.0.0 scope list allow 255.255.0.0 10.250.128.0 255.255.255.0
By removing the above configuration, we want to avoid LAN projection with its originating IP address to the user from the VPN Client.

Creating policy NAT
- access list permit VPN-CLIENT-POLICY-NAT ip 192.168.0.0 255.255.255.0 10.250.128.0 255.255.255.0
- public static 192.168.200.0 (inside, outside) - list of access VPN-CLIENT-POLICY-NAT netmask 255.255.255.0
With the above configuration, we mean the ASA NAT your local 192.168.200.0/24 LAN 192.168.0.0/24 WHEN connections are established at network 10.250.128.0/24 destination which is the pool of the VPN Client. This natutally works in two ways. Also note that if your host LAN IP address is, for example, 192.168.0.100, there a 192.168.200.100 NAT address.

Change the VPN Client Split tunnel
- standard of TUNNEL VPN-SPLIT-access list permits 192.168.200.0 255.255.255.0
- attributes of the strategy of group mobile_policy
  - Split-tunnel-network-list value TUNNEL VPN-SPLIT
The above configuration is intended to change your configurations of client VPN Split Tunnel ACL to a Standard ACL that indicates which networks to send to the VPN to your customer. In this case, it would be the new teeth of politics of 192.168.200.0/24 network. After configuring the ACL you naturally set it up under the VPN settings.

I don't know if you have split tunnel configured at all because the configuration does not appear the ACL name at least. I know that you can at least have the "tunnelspecified" configuration line without specifying the actual ACL but do not know if what follows is a copy/paste problem or typo that should work with complete tunnel also.

With the above configuration, to my knowledge, everything should work.

-Jouni

EDIT: Some typos

Edit2: Name group policy was wrong

8.2 policy-nat VPN port (5) ASA5510 of ASA5515 8.6 (1)

I have this existing config (which works) on ASA5510 v8.2 (5)
Need this port above ASA5515 v8.6 (1) running
ASA5510 inside the net: 192.168.1.0/24
On the remote VPN peer network: 172.16.21.192/28
!
InsideGlobal-2-OutsideNetwork to the list of allowed access host ip 10.0.200.211 172.16.21.192 255.255.255.240
InsideGlobal-2-OutsideNetwork to the list of allowed access host ip 10.0.202.39 172.16.21.192 255.255.255.240
!
InsideLocal.1 - 2-OutsideNetwork from the list of allowed access host ip 192.168.1.1 172.16.21.192 255.255.255.240
InsideLocal.191 - 2-OutsideNetwork to the list of allowed access host ip 192.168.1.191 172.16.21.192 255.255.255.240
!
public static 10.0.200.211 (inside, outside) access-list InsideLocal.1 - 2-OutsideNetwork
public static 10.0.202.39 (inside, outside) access-list InsideLocal.191 - 2-OutsideNetwork
!
correspondence address 1 card crypto outside_map InsideGlobal-2-OutsideNetwork
!

I think what I need is the following:
!
network of the OBJ_172.16.21.192_28 object
subnet 172.16.21.192 255.255.255.240
!
network of the OBJ_10.0.200.211_32 object
Home 10.0.200.211
!
network of the OBJ_10.0.202.39_32 object
Home 10.0.202.39
!
network of the OBJ_192.168.1.1_32 object
host 192.168.1.1
!
network of the OBJ_192.168.1.191_32 object
Home 192.168.1.191
!
InsideGlobal-2-OutsideNetwork of the ip object OBJ_10.0.200.211_32 object OBJ_172.16.21.192_28 allowed extended access list
InsideGlobal-2-OutsideNetwork of the ip object OBJ_10.0.202.39_32 object OBJ_172.16.21.192_28 allowed extended access list
!
NAT (inside, outside) static source OBJ_192.168.1.1_32 OBJ_10.0.200.211_32 OBJ_172.16.21.192_28 OBJ_172.16.21.192_28 non-proxy-arp-search of route static destination
NAT (inside, outside) static source OBJ_192.168.1.191_32 OBJ_10.0.200.39_32 OBJ_172.16.21.192_28 OBJ_172.16.21.192_28 non-proxy-arp-search of route static destination
!
correspondence address 1 card crypto outside_map InsideGlobal-2-OutsideNetwork

THX - Phil

Hi Phil,

The converted 8.6.x 8.2.x configuration is correct. Go with him.

Vishnu

nat VPN question.

Try to find what happened. I had the remote end raise the tunnel, as they can ping resources on my side. I am unable to ping 10.90.238.148 through this tunnel. I used to be able to until the interface of K_Inc has been added. The network behind this interface is 10/8.

I asked a question earlier in another post and advises him to play opposite road of Cryptography. And who did it. I was able to ping 10.90.238.148 of 192.168.141.10, with the config below.

I am at a loss to why I can't all of a sudden. A bit of history, given routes have not changed. By adding the command set opposite road to cryptography, I find myself with a static entry for the 10.90.238.0 network is what fixed it initially so I don't think it's a problem of route. The remote end had an overlap with the 192.168.141.0/24 that is why my side is natted on the 10.40.27.0. None of the nats have changed so if adding the reverse route worked for a day, it should still work. Any thoughts?

interface GigabitEthernet0/3.10

VLAN 10

nameif K_Inc

security-level 100

IP address 192.168.10.254 255.255.255.0

interface GigabitEthernet0/3.141

VLAN 141

cold nameif

security-level 100

IP 192.168.141.254 255.255.255.0

(Cold) NAT 0 access-list sheep

NAT (cold) 1 192.168.141.0 255.255.255.0

Access extensive list ip 192.168.141.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0

Access extensive list ip 10.40.27.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0

Access extensive list ip 192.168.141.0 CSVPNNAT allow 255.255.255.0 10.90.238.0 255.255.255.0

IP 10.40.27.0 allow Access-list extended sheep 255.255.255.0 10.90.238.0 255.255.255.0

static 10.40.27.0 (cold, outside) - CSVPNNAT access list

card crypto Outside_map 5 corresponds to the address CSVPNOFFSITE

card crypto Outside_map 5 the value reverse-road

card crypto Outside_map 5 set pfs

card crypto Outside_map 5 set peer 20.x.x.3

Outside_map 5 transform-set ESP-3DES-MD5 crypto card game

card crypto Outside_map 5 defined security-association life seconds 28800

card crypto Outside_map 5 set security-association kilobytes of life 4608000

tunnel-group 20.x.x.3 type ipsec-l2l

20.x.x.3 Group of tunnel ipsec-attributes

pre-shared-key *.

Route outside 0.0.0.0 0.0.0.0 7.x.x.1 1

Route 10.0.0.0 K_Inc 255.192.0.0 192.168.10.252 1

Route K_Inc 10.64.0.0 255.224.0.0 192.168.10.252 1

Route K_Inc 10.100.100.0 255.255.255.0 192.168.10.252 1

Route K_Inc 10.128.0.0 255.128.0.0 192.168.10.252 1

Tunnel is up:

14 peer IKE: 20.x.x.243

Type: L2L role: answering machine

Generate a new key: no State: MM_ACTIVE

EDIT:

I just noticed when tracer packet i run I don't get a phase VPN or encrypt:

Packet-trace entry cold tcp 192.168.141.10 80 80 10.90.238.148 det

Phase: 1

Type: FLOW-SEARCH

Subtype:

Result: ALLOW

Config:

Additional information:

Not found no corresponding stream, creating a new stream

Phase: 2

Type:-ROUTE SEARCH

Subtype: entry

Result: ALLOW

Config:

Additional information:

in 10.90.238.0 255.255.255.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xad048d08, priority = 0, sector = option-ip-enabled, deny = true

hits = 2954624, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 4

Type: QOS

Subtype:

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xb2ed4b80, priority = 72, domain = qos by class, deny = false

hits = 2954687, user_data = 0xb2ed49d8, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 5

Type: FOVER

Subtype: Eve-updated

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xad090180, priority = 20, area = read, deny = false

hits = 618776, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0, Protocol = 6

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

static (ColdSpring, external) 74.x.x.50 192.168.141.10 netmask 255.255.255.255

match ip host 192.168.141.10 ColdSpring outside of any

static translation at 74.x.x.50

translate_hits = 610710, untranslate_hits = 188039

Additional information:

Definition of static 192.168.141.10/0 to 74.112.122.50/0 using subnet mask 255.255.255.255

Direct flow from returns search rule:

ID = 0xac541e50, priority = 5, area = nat, deny = false

hits = 610742, user_data = 0xac541c08, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

SRC ip = 192.168.141.10, mask is 255.255.255.255, port = 0

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (ColdSpring, dmz) 192.168.141.0 192.168.141.0 netmask 255.255.255.0

match ip ColdSpring 192.168.141.0 255.255.255.0 dmz all

static translation at 192.168.141.0

translate_hits = 4194, untranslate_hits = 20032

Additional information:

Direct flow from returns search rule:

ID = 0xace2c1a0, priority = 5, area = host, deny = false

hits = 2954683, user_data = 0xace2ce68, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 192.168.141.0, mask is 255.255.255.0, port = 0

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Reverse flow from returns search rule:

ID = 0xaacbcb90, priority = 0, sector = option-ip-enabled, deny = true

hits = 282827537, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 9

Type: QOS

Subtype:

Result: ALLOW

Config:

Additional information:

Reverse flow from returns search rule:

ID = 0xb2ed5c78, priority = 72, domain = qos by class, deny = false

hits = 4749562, user_data = 0xb2ed5ad0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 10

Type: CREATING STREAMS

Subtype:

Result: ALLOW

Config:

Additional information:

New workflow created with the 339487904 id, package sent to the next module

Information module for forward flow...

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Information for reverse flow...

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Phase: 11

Type:-ROUTE SEARCH

Subtype: output and contiguity

Result: ALLOW

Config:

Additional information:

found 7.x.x.1 of next hop using ifc of evacuation outside

contiguity Active

0007.B400.1402 address of stretch following mac typo 51982146

Result:

input interface: cold

entry status: to the top

entry-line-status: to the top

output interface: outside

the status of the output: to the top

output-line-status: to the top

Action: allow

What version are you running to ASA?

My guess is that your two static NAT is configured above policy nat you have configured for the VPN? If this is the case, move your above these static NAT NAT policy and you should see the traffic start to flow properly.

--

Please note all useful posts

NAT VPN

I'm havening problems with NAT over VPN. with current configs below it will complete the first phase of the tunnel and then stop because the ip address is not natted. If I put a permit in the statement of the permits it will be nat to internet host, but not via the vpn. If I put in a static nat statement it will nat and attempt to create a tunnel but I get the error (increment the count of errors on his, try 1 5: retransmit the phase 1)

version 12.3

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

hostname BatsVpnRouter

!

boot-start-marker

start the system flash c1700-k9o3sy7 - mz.122 - 13.T.bin

boot-end-marker

!

no console logging

Select the secret xxx

activate the password xxx

!

MMI-60 polling interval

No mmi self-configuring

No pvc mmi

MMI snmp-timeout 180

No aaa new-model

no ip subnet zero

!

IP cef

Max-events of po verification IP 100

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

ISAKMP crypto key xxx address 190.0.0.1

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac bats

!

bats_map 2 ipsec-isakmp crypto map

defined by peer 190.0.0.1

transformation-BALD-MOUSE game

-More - match address BATSACL

!

!

!

interface Ethernet0

IP address 11.0.x.x.255.255.224

NAT outside IP

full-duplex

bats_map card crypto

!

interface FastEthernet0

IP 192.168.1.2 255.255.255.0

IP nat inside

Speed 100

full-duplex

!

IP nat inside source list bats-nat interface Ethernet0 overload

IP classless

IP route 0.0.0.0 0.0.0.0 11.0.0.1

no ip address of the http server

no ip http secure server

!

BATSACL extended IP access list

permit ip host 11.0.0.5 200.0.0.1

192.168.1.100 ip permit host 200.0.0.1

permit ip host 11.0.0.5 200.0.0.2

192.168.1.100 ip permit host 200.0.0.2

permit ip host 11.0.0.5 200.0.0.3

192.168.1.100 ip permit host 200.0.0.3

IP extended access-list of the bats-nat

permit log host 200.0.0.1 host 192.168.1.100 ip

192.168.1.100 ip permit host 200.0.0.2

192.168.1.100 ip permit host 200.0.0.3

!

public RO SNMP-server community

Enable SNMP-Server intercepts ATS

alias exec clip claire rou ip *.

alias exec crs copy run start

alias exec deb187 debug ip pack det 187

alias exec ospfnei sh ip ospf nei

alias exec ship sho ip route

alias exec shr sho run

alias exec Ibis show ip brief inter

alias exec ip sip sho pro

alias exec tr traceroute

alias exec ss sho sess

sho alias exec sl online

alias exec cl clear line

!

Line con 0

line to 0

line vty 0 4

password xxx

opening of session

Ok. You must make sure that the ACl:s are the same (but in reverse) on both sides, which means that you probably need to remove a few lines on the Router 1. The ACL should look like this:

BATSACL extended IP access list

permit ip host 11.0.0.5 200.0.0.1

permit ip host 11.0.0.5 200.0.0.2

permit ip host 11.0.0.5 200.0.0.3

Remove the keyword "log" of this line:

IP extended access-list of the bats-nat

permit log host 200.0.0.1 host 192.168.1.100 ip

OK, now you've cleaned it, trying to make appear the tunnel again, try it with 200.0.0.1 and 200.0.0.2.

Then, check the remote debugging.

Rule NAT VPN problem

Hello people, I had a lot of trouble trying to solve this problem, but hoping someone here can enlighten me.

I have a remote site that hosts a number of services that we manage remotely with an IPSec VPN connection. When connecting to the site connect us very well and can make most of the actions like RDP and connect to servers for maintenance, but a service fails to connect unless I have add a NAT rule exempt to the configuration of the router (ASA 5505).

Once this rule in place service work, but other services that initially worked work stoppage. In short, this rule must be in place while doing a single task, but then contracted for other tasks. I hope that there is some sort of rule or behavior, I can add to the ASDM configuration makes it so I don't have to manually add this rule whenever I connect.

Here are the details of the rule:

access-list 1 permit line outside_nat0_outbound extended ip 192.168.15.192 255.255.255.192 192.168.15.0 255.255.255.0

NAT (outside) 0 outside_nat0_outbound list access outside tcp udp 0 0 0

When the connection is established without the rule in place the ASDM syslog shows these warnings:

Deny tcp src inside: outside:10.100.32.203/135 dst61745 by access-group "inside_access_in" [0x0, 0x0]

The strange thing is 10.100.32.203 is IP internal my host computer. This is not yet the external IP address of the network I connect from.

Is it possible a problem with the VPN pool using a subset of the subnet of the VIRTUAL LAN inside? Inside VLAN is 192.168.15.0/24 and the VPN is 192.168.15.200 - 250. I am ready to reconfigure the VPN address pool but need to do remotely, and am unaware of how to do this reconfiguration safely without losing my remote access, since physical access to the router itself is currently very difficult.

If more details are needed, I am happy to give them.

Hi GrahamB,

Yes, the problem with too much running in subnet.

There are a lot of private-address available, so please create a new group policy and tunnel-group and fill

pool separate to value ip address and remote with it, when the new cluster to solve your problem, can safely remove the old one.

I hope this helps.

Thank you

Rizwan Muhammed.

Political L2L NAT and static NAT VPN

Here's the scenario: I'm to establish a VPN L2L. When you try to determine who hosts inside my network access hosts on the remote network through the VPN, I can't get a straight answer from officials.

My thought was to use a private network of 10.17.24.0/24 and NAT all hosts on my inside the network to 10.17.24.x. As a side note, the hosts of my inner network can be on any subnet in the beach of 172.12.x.0. I would then put 10.17.24.0/24 in my interesting traffic for my ACL crypto. From the hosts inside my network need to browse Internet AND communicate with hosts on the remote network through the VPN, I was going to try to do this with policy NAT. is it possible to use NAT policy in this case? Or what I need to use static? I start with static but could not navigate the Internet eventually. I know I'm missing something with the static, but can not understand. I'm still pretty new to all this stuff so please forgive my ignorance.

For example:

access-list allowed NAT1 host ip 172.21.1.1 REMOTEL2L_SUBNET
access-list allowed NAT2 host ip 172.21.2.5 REMOTEL2L_SUBNET
access-list allowed host ip 172.21.15.7 REMOTEL2L_SUBNET VIH3

static (in, out) 10.17.24.1 access-list NAT1
static (in, out) 10.17.24.2 access-list NAT2
static (in, out) 10.17.24.3 access-list VIH3

The above configuration will be NAT 172.21.1.1 to 10.17.24.1 when you go to the remote subnet (across the L2L).

The same behavior for other hosts.

The important thing is that the ACL for crypto will come from the address using a NAT:

list of allowed VPN ip 10.17.24.1 REMOTEL2L_SUBNET host access
list of allowed VPN ip 172.17.24.2 REMOTEL2L_SUBNET host access
list of allowed VPN ip 172.17.24.3 REMOTEL2L_SUBNET host access

Or just the whole subnet:

VPN ip 172.17.24.0 access list allow 255.255.255.0 REMOTEL2L_SUBNET

The important thing is that interesting traffic matches at both ends!

In addition, you can still provide Internet and local as normally...

Internet access:

NAT (inside) 1 172.21.0.0 255.255.0.0

Global 1 interface (outside)

It will be useful.

Federico.

TZ300W - how to use the policy monitor host VPN network

is easy to create the network to any host Wan monitor policy.

But if I want to monitor VPN host, how can I do...?

Monitor VPN host? Control if the VPN work? I use the Zabbix software to monitor my hosts.

By PAT and NAT VPN

We have a place where you want to set up a tunnel VPN to our headquarters.

In this place, there is a router that PAT (NAT overloading), and then a few jumps more, there is a firewall that makes the NAT.

Is this could pose a problem for the VPN tunnel?

Here's a "pattern" of what looks like the connection.

Customer--> PAT - router-->--> Internet--> CVPN3005 NAT firewall

I hope you can provide me with an answer.

VPN tunnel will not work in your scenario. NAT second change address and the ports you want to use for the vpn tunnel. So the port 500 wil be translated to top port and will be rejected at HQ.

With NAT VPN tunnels

I have read on several posts on the topic and still think I'm missing something, I'm looking for help.

Basically, I'm now implementing multiple VPN tunnels for external connections. We strive to keep the external "private addresses" our basic using NAT network.

I can get the Tunnel to work without problems using the ACL SHEEP; However, this technique requires that our internal network is aware of their external addresses "private." Our goal is to enter an address on the inside that is NAT to the external address 'private' and then shipped via the VPN tunnel. Basically to hide the external address 'private' of our internal systems that they would appear as thought the connection was one of our own networks.

The reverse is true coming from their external 'private' network. Any information of "their" private network external origin would result in our 'private' on arrival address space.

Is this possible? I am attaching a schema, which could help.

Hello

Yes, this should be possible. Lets say you allocate 10.112.2.250 as the address that you use to present the external server 192.168.10.10.

On your ASA device

public static 10.112.2.250 (exterior, Interior) 192.168.10.10 netmask 255.255.255.255

You will need to make sure that when the system tries to connect to 10.112.2.250 it is routed to the device of the SAA.

HTH

Jon

Pool of dhcp NAT VPN to the LAN on router 2911

I need nat the ips assigned by dhcp vpn to my LAN pool. My problem is that I do not know which interface to set my nat statement on since there is no interface that is in the same subnet as my dhcp pool. Any help would be appreciated.

For remote client ipsec, you must have DVTI according to configuration described here:

http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t14/feature/guide/gtIPSctm...

'use ip nat inside' on the virtual model and 'ip nat outside' on the inside of the interface.

HTH

Averroès.

NAT VPN tunnel and still access Internet traffic

Hello

Thank you in advance for any help you can provide.

I have a server with the IP 192.168.1.9 that needs to access a subnet remote from 192.168.50.0/24, through the Internet. However, before the server can access the remote subnet, the server IP must be NAT'ed to 10.1.0.1 because the VPN gateway remote (which is not under my control) allows access to other customers who have the same subnet address that we do on our local network.

We have a 2801 Cisco (running c2801-advsecurityk9 - mz.124 - 15.T9.bin) set up to make the NAT. It is the only gateway on our network.

I have configured the Cisco 2801 with the following statements of NAT and the relevant access lists:

access-list 106 allow host ip 192.168.1.9 192.168.50.0 0.0.0.255

NAT extended IP access list
refuse the host ip 192.168.1.9 192.168.50.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ip permit 192.168.1.0 0.0.0.255 any

route allowed ISP 10 map
corresponds to the IP NAT

IP nat EMDVPN 10.1.0.1 pool 10.1.0.1 netmask 255.255.255.0
IP nat inside source list 106 pool EMDVPN
IP nat inside source map route ISP interface FastEthernet0/1 overload

When the server (192.168.1.9) attempts to ping on the subnet of 192.168.50.0/24 devices, the VPN tunnel is established successfully. However, after that, the server is no longer able to access the Internet because the NAT translation for 192.168.1.9 has changed since the external IP address of the router (FastEthernet0/1) at 10.1.0.1.

The documentation I've seen on the site of Cisco says that this type of Setup allows only host subnet communication. Internet access is not possible. However, maybe I missed something, or one of you experts can help me. Is it possible to configure the NAT router traffic destined to the VPN tunnel and still access the Internet by using the dynamic NAT on FastEthernet0/1?

Once again, thank you for any help you can give.

Alex

Hello

Rather than use a pool for NAT

192.168.1.9 - 10.1.0.1 > 192.168.50.x

ACL 102 permit ip 192.168.1.9 host 192.168.50.0 0.0.0.255

RM-STATIC-NAT route map permit 10
corresponds to the IP 102

IP nat inside source static 192.168.1.9 10.1.0.1 card expandable RM-STATIC-NAT route

ACL 101 deny host ip 192.168.1.9 192.168.50.0 0.0.0.255
ACL 101 by ip 192.168.1.0 0.0.0.255 any
overload of IP nat inside source list 101 interface FastEthernet0/1

VPN access list will use the source as 10.1.0.1... *.

Let me know if it works.

Concerning

M

% 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; Connection refused because of the failure of the path opposite. NAT VPN clients problems after that put 8.3.2 to level.

I've recently updated to 8.3.2 and I have been informed of these NAT changes, but even after reading the https://supportforums.cisco.com/docs/DOC-12569 I am still unable to rectify the communication network 192.168.100.0 VPN with hosts on 172.16.1.0 and 172.16.9.0. VPN clients connect to the external interface, and I try to ping inside and the demilitarized zone, respectable 172.16.1.0 and 172.16.9.0 hosts. VPN client shows that the two previously mentioned networks such as roads of security, but still not to the ping pong.

# sh nat

Manual NAT policies (Section 1)

1 (inside) to the (whole) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

translate_hits = 0, untranslate_hits = 0

2 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

translate_hits = 0, untranslate_hits = 0

3 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0

translate_hits = 0, untranslate_hits = 0

4 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

translate_hits = 0, untranslate_hits = 0

5 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0

translate_hits = 0, untranslate_hits = 0

Auto NAT policies (Section 2)

1 (dmz), to the source (external) static obj - 172.16.9.5 interface tcp www www service

translate_hits = 0, untranslate_hits = 142

2 (dmz) (outdoor) source static obj - 172.16.9.5 - 01 interface service tcp 3389 3389

translate_hits = 0, untranslate_hits = 2

3 (dmz) (outdoor) source static obj - 172.16.9.5 - 02 interface tcp ldap ldap service

translate_hits = 0, untranslate_hits = 0

4 (dmz) (outdoor) source static obj interface - 172.16.9.5 - 03 service ftp ftp tcp

translate_hits = 0, untranslate_hits = 0

5 (dmz) to (outside) of the source static obj - 172.16.9.5 - 04 interface tcp smtp smtp service

translate_hits = 0, untranslate_hits = 267

6 (inside) source static obj - 172.16.9.0 172.16.9.0 (dmz)

translate_hits = 4070, untranslate_hits = 224

7 (inside) to (dmz) source static obj - 10.1.0.0 10.1.0.0

translate_hits = 0, untranslate_hits = 0

8 (inside) to (dmz) source static obj - 172.16.0.0 172.16.0.0

translate_hits = 152, untranslate_hits = 4082

9 (dmz) to dynamic interface of the obj - 172.16.9.0 - 01 source (outdoor)

translate_hits = 69, untranslate_hits = 0

10 (inside) to the obj_any interface dynamic source (external)

translate_hits = 196, untranslate_hits = 32

I think you must following two NAT config

NAT (inside, outside) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 192.168.100.0 obj - 192.168.100.0
NAT (dmz, external) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 192.168.100.0 obj - 192.168.100.0

Please configure them and remove any additional NAT configuration and then try again.

Issue of 8.3 to 8.2 NAT VPN SSL

In the study and test SSL VPN on a SAA, I have the network as shown in the attached diagram. The configuration is the result of an ASA with 8.3 but our ASA is 8.2 and at this time I am not familiar with the new NAT configuration and controls in 8.3 or later and wondering if anyone can translate the

«nat source (indoor, outdoor) static ' for me at a 8.2 version.»

Appreciate any help.

Jeff

NAT (inside, outside) static static source NETWORK_OBJ_192.168.100.0_RemotePool destination NETWORK_OBJ_192.168.3.0_Net1 NETWORK_OBJ_192.168.3.0_Net1 NETWORK_OBJ_192.168.100.0_RemotePool

Hello

This seems to be a NAT0 / NAT exempt in the new 8.3 + NAT format configuration

And I guess it would make sense that we are talking about VPN connections.

It should be something like this

the INTERIOR-NAT0 192.168.3.0 ip access list allow 255.255.255.0 192.168.100.0 255.255.255.0

NAT (inside) 0-list of access to the INTERIOR-NAT0

Naturally the names/networks used in the configuration can be different depending on your existing actual configurations on the firewall.

-Jouni

Policy overlapping NAT VPN

Similar Questions

Maybe you are looking for