Problem of NAT or ACL?

Hello

I have a Cisco 850 running 12.4 (2) with a tunnel of L2L existing to another Cisco router. I try to add remote access to the Cisco 850 and I have, what, in my view, is an ACL or NAT problem. I can connect to the 850 with the VPN client and get an address from the pool, but I can't ping in the internal network. Any help is appreciated. Here is my config:

Your NAT ACL 101 must refuse the IP with internal IP remote VPN hen 10.2.199.x.

Tags: Cisco Security

Similar Questions

Problems with NAT? Can't access internet from inside the network?

I was intrigued with this problem for a few days now. I'm stuck on what could be the issue. The problem is that I can ping my router, G0/0 and G0/1, to the internet. However, since the switch and my PC, I can not ping Internet. I'm sure that everything is configured correctly, but here is my setup for the switch and the router:

Router 1:

version 15.1
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname LAN_Router_1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 *.
!
No aaa new-model
!
no location network-clock-participate 3
!
dot11 syslog
no ip source route
!
IP cef
!
!
!
!
domain IP MyTestLab.com
8.8.8.8 IP name-server
IP-server names 8.8.4.4
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
Crypto pki token removal timeout default 0
!
!
!
!
license udi pid CISCO3845-MB sn FOC105013BA
username * secret privilege 15 5 *.
!
redundancy
!
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
property intellectual ssh event logging
property intellectual ssh version 2
!
!
!
!
!
!
!
!
interface Loopback0
192.168.254.1 IP 255.255.255.255
!
interface GigabitEthernet0/0
DHCP IP address
penetration of the IP stream
stream IP output
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
media type rj45
!
interface GigabitEthernet0/1
the IP 192.168.0.1 255.255.255.248
penetration of the IP stream
stream IP output
IP nat inside
IP virtual-reassembly in
GLBP 100 ip 192.168.0.4
priority GLBP 100 115
GLBP 100 preempt
automatic duplex
automatic speed
media type rj45
!
ospf Router 5
router ID - 192.168.254.1
network 192.168.0.1 0.0.0.0 area 1
192.168.254.1 network 0.0.0.0 area 0
!
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
IP nat inside source list 10 interface GigabitEthernet0/0 overload
IP route 0.0.0.0 0.0.0.0 dhcp
!
access-list 10 permit 192.168.94.32 0.0.0.15 connect
access-list 10 permit 192.168.17.0 connect 0.0.0.7
access-list 10 permit 192.168.52.0 connect 0.0.0.7

access-list 10 permit 192.168.0.0 0.0.0.7 connect
access-list 10 deny any newspaper
!
!
!
!
!
!
control plan
!
!
!
!

profile MGCP default
!
!
!
!
!
connection of the banner ^ C
W A R N I N G

THIS IS A PRIVATE COMPUTER SYSTEM.

This computer system, including all related equipment, network devices
(specifically including Internet access), are provided only for
authorized used.

All computer systems may be monitored for all lawful, including purpose
to ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
survival and operational security procedures.

Monitoring includes active attacks by authorized personnel and their
entities to test or verify the security of the system. During the surveillance,.
information may be examined, recorded, copied and used for authorized
purposes.

All information, including personal information, placed on or sent over
This system may be monitored. Uses of this system, authorized or
unauthorized, constitutes consent to monitoring of this system.

Unauthorized use may subject you to criminal prosecution. Evidence of
any unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of this system
constitutes a consent to monitoring for these purposes.
^ C
!
Line con 0
Synchronous recording
local connection
line to 0
line vty 0
local connection
entry ssh transport
output transport ssh
line vty 1 4
opening of session
transport of entry all
!
Scheduler allocate 20000 1000
NTP 198.60.73.8 Server
NTP 13.85.70.43 Server
SaveRunConfig event manager applet
cron cron-event timer entry ' 0 0 * * ".
command action 1.0 cli 'enable '.
cli 2.0 action command "RAM".

Router 2:

version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname LAN_Router_2
!
boot-start-marker
boot-end-marker
!
!
! card order type necessary for slot 1
Monitor logging warnings
enable secret 5 *.
!
No aaa new-model
!
clock timezone CST - 5 0
!
dot11 syslog
IP source-route
!
IP cef
!
!
!
!
domain IP MyTestLab.com
8.8.8.8 IP name-server
IP-server names 8.8.4.4
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
type of parameter-card inspect global
Select a dropped packet newspapers
!
voice-card 0
!
!
!
!
!

!
!
Crypto pki token removal timeout default 0
!
!
!
!
license udi pid CISCO3845-MB sn FOC1411592J
username * secret 5 *.

!
redundancy
!
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
property intellectual ssh event logging
property intellectual ssh version 2
!
!
!
!
!
!
!
!
interface Loopback0
192.168.254.2 the IP 255.255.255.255
!
interface GigabitEthernet0/0
DHCP IP address
penetration of the IP stream
stream IP output
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
media type rj45
!
interface GigabitEthernet0/1
IP 192.168.0.2 255.255.255.248
penetration of the IP stream
stream IP output
IP nat inside
IP virtual-reassembly in
GLBP 100 ip 192.168.0.4
priority GLBP 100 110
automatic duplex
automatic speed
media type rj45
!
ospf Router 5
router ID - 192.168.254.2
network 192.168.0.2 0.0.0.0 area 1
0.0.0.0 network 192.168.254.2 area 0
!
Default IP gateway 192.168.0.1
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
IP nat inside source list 10 interface GigabitEthernet0/0 overload
IP route 0.0.0.0 0.0.0.0 dhcp
!
SSH extended IP access list
permit tcp host 192.168.52.2 any eq 22 log
permit tcp 192.168.10.0 0.0.0.255 any eq 22 log
permit tcp host 192.168.17.18 any eq 22 log
any eq 22 host tcp 192.168.0.1 newspaper permit
permit tcp host 192.168.0.2 any eq 22 log
permit tcp host 192.168.0.3 any eq 22 log
permit tcp host 192.168.0.5 any eq 22 log
denyip a session
!
access-list 10 permit 192.168.94.32 0.0.0.15 connect
access-list 10 permit 192.168.17.0 connect 0.0.0.7
access-list 10 permit 192.168.52.0 connect 0.0.0.7
access-list 10 permit 192.168.0.0 0.0.0.7 connect
access-list 10 deny any newspaper
!
!
!
!
!
!
control plan
!
!
!
!
profile MGCP default
!
!
!
!
!
connection of the banner ^ C
W A R N I N G

THIS IS A PRIVATE COMPUTER SYSTEM.

This computer system, including all related equipment, network devices
(specifically including Internet access), are provided only for
authorized used.

Unauthorized use may subject you to criminal prosecution. Evidence of
any unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of this system
constitutes a consent to monitoring for these purposes.
^ C
!
Line con 0
session-timeout 360
exec-timeout 360 0
7 password *.
Synchronous recording
local connection
line to 0
opening of session
line vty 0 4
SSH access class in
Synchronous recording
local connection
entry ssh transport
output transport ssh
!
Scheduler allocate 20000 1000
NTP 198.60.73.8 Server
NTP 13.85.70.43 Server
SaveRunConfig event manager applet
cron cron-event timer entry ' 0 0 * * ".
command action 1.0 cli 'enable '.
cli 2.0 action command "RAM".

Switch:

version 12.2
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug uptime
Log service timestamps uptime
encryption password service
!
hostname LAN_Switch
!
boot-start-marker
boot-end-marker
!
!
username * secret privilege 15 5 *.
!
!
!
No aaa new-model
clock timezone CST - 6
1 supply ws-c3750-24ts switch
mtu 1500 routing system
IP routing
IP - domain name MyTestLab.com
8.8.8.8 IP name-server
IP-server names 8.8.4.4
!
!
!
!
!
!
!
!
!
spanning tree mode rapid pvst
spanning tree logging
spanning tree extend id-system
!
internal allocation policy of VLAN ascendant
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
property intellectual ssh event logging
property intellectual ssh version 2
!
!
interface Loopback0
192.168.254.5 the IP 255.255.255.255
!
interface FastEthernet1/0/1
switchport access vlan 17
switchport mode access
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/2
switchport access vlan 10
switchport mode access
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/3
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/4
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard

!
interface FastEthernet1/0/5
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/6
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/7
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/8
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/9
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/10
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/11
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/12
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/13
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/14
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/15
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/16
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/17
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/18
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/19
Description # PC #.
switchport access vlan 10
switchport mode access
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/20
Description # X_BOX #.
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/21
switchport access vlan 94
switchport mode access
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/22
switchport access vlan 5
switchport mode access
!
interface FastEthernet1/0/23
switchport access vlan 5
switchport mode access
!
interface FastEthernet1/0/24
switchport access vlan 5
switchport mode access
!
GigabitEthernet1/0/1 interface
switchport access vlan 666
Shutdown
!
interface GigabitEthernet1/0/2
switchport access vlan 666
Shutdown
!
interface Vlan1
no ip address
Shutdown
!
interface Vlan5
IP 192.168.0.5 255.255.255.248
!
interface Vlan10
address 192.168.10.2 255.255.255.0
!
interface Vlan17
IP 192.168.17.17 255.255.255.248
!
interface Vlan52
IP 192.168.52.1 255.255.255.248
!
interface Vlan94
IP 192.168.94.33 255.255.255.240
!
ospf Router 5
router ID - 192.168.254.5
Log-adjacency-changes
network 192.168.0.5 0.0.0.0 area 1
network 192.168.10.2 0.0.0.0 area 2
network 192.168.17.17 0.0.0.0 area 2
network 192.168.52.1 0.0.0.0 area 2
network 192.168.94.33 0.0.0.0 area 2
0.0.0.0 network 192.168.254.5 area 0
!
IP classless
IP route 0.0.0.0 0.0.0.0 192.168.0.4 permanent
no ip address of the http server
no ip http secure server
!
!
SSH_IN extended IP access list
permit tcp host 192.168.52.2 any eq 22 log
permit tcp 192.168.10.0 0.0.0.255 any eq 22 log
permit tcp host 192.168.17.18 any eq 22 log
any eq 22 host tcp 192.168.0.1 newspaper permit
permit tcp host 192.168.0.2 any eq 22 log
permit tcp host 192.168.0.3 any eq 22 log
permit tcp host 192.168.0.5 any eq 22 log
deny ip any any newspaper
!
!
connection of the banner ^ C
W A R N I N G
THIS IS A PRIVATE COMPUTER SYSTEM.
This computer system, including all related equipment, network devices
(specifically including Internet access), are provided only for
authorized used.
All computer systems may be monitored for all lawful, including purpose
to ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
survival and operational security procedures.
Monitoring includes active attacks by authorized personnel and their
entities to test or verify the security of the system. During the surveillance,.
information may be examined, recorded, copied and used for authorized
purposes.
All information, including personal information, placed on or sent over
This system may be monitored. Uses of this system, authorized or
unauthorized, constitutes consent to monitoring of this system.
Unauthorized use may subject you to criminal prosecution. Evidence of
any unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of this system
constitutes a consent to monitoring for these purposes.
^ C
!
Line con 0
session-timeout 60
exec-timeout 60 0
Synchronous recording
local connection
line vty 0
access-class SSH_IN in
local connection
line vty 1 4
access-class SSH_IN in
opening of session
line vty 5 15
access-class SSH_IN in
opening of session
!
NTP 198.60.73.8 Server
Event Manager environment suspend_ports_config flash: / susp_ports.dat
Event Manager environment suspend_ports_days 7
Event Manager user Directorystrategie "flash: / policies /.
Event manager session cli username "stw".
political event manager sl_suspend_ports.tcl
political event manager tm_suspend_ports.tcl
SaveRunConfig event manager applet
cron cron-event timer entry ' 0 0 * * ".
command action 1.0 cli 'enable '.
cli 2.0 action command "RAM".

Well, I totally forgot the keyword "log" and NAT:

Cisco IOS NAT support ACLs with a keyword "log"?

A. When you configure Cisco IOS NAT translation dynamic NAT, an ACL is used to identify the packages that can be translated. The current NAT architecture does not support the ACL with a keyword "log".

http://www.Cisco.com/c/en/us/support/docs/IP/network-address-translation...

If your problem is not the mask with joker, but the command "log"...

NAT 0 0 nat nat static ACLs

Anyone know what the order of nat/static... .is it nat 0 acl, nat 0, static, nat? where nat 0 acl is first and nat is the last... for example if I have an address that meets the criteria of nat 0 acl, nat 0, static, NAT... what happens?

John

Order of preference for the translation goes as follows:

(1) nat 0 access-list (free of nat)

(2) match against existing xlates

(3) static

(a) nat public static with no access-list (first match)

(b) public static pat with no access-list (first match)

(4) nat

(a) nat access-list (first match) Note: nat 0-list of access is not part of this command.

(b) nat (best match) Note: when you choose a global address of multiple pools with the same id of nat, the following order is tried

(i) if the id is 0, create an xlate identity.

(II) use the global pool for dynamic NAT

(III) use the global pool for PAT dynamic

(5) error

Problems of NAT for Xbox a Live, AC1900 Smart WiFi router model # R7000

I can't get NAT open for my Xbox One, it is set to moderate right now. I tried to turn NAT, filtering to open, address reservation, go wireless Ethernet, port forwarding / port triggering TCP/UDP 3074.

Any help would be appreciated

Yes, that's all. So, your ISP is NATing your traffic. Your situation is similar to the guy with the WiMAX. I went and found this thread.
https://community.NETGEAR.com/T5/Nighthawk-WiFi-routers/NIghtHawk-r7000-PS4-NAT-type-strict-3-issues...

This guy had to call his ISP and ended up paying for an address public IP NAT problems. You will need to contact your ISP and either ask a public IP address, or ask them how to configure their gateway port forwarding. Read the other thread.

Problem of NAT with PIX 515E

I configured a PIX 515E, OS 7.0 (1) f? PAT r dynamic of the inside of the network to the external ip address of the PIX. I also configured for icmp access lists from inside to outside and inside. All traffic (www, dns, ftp, etc.) works very well except ping. Whenever I do a ping from host inside to any address outside, I get the following error messages:

6. August 24, 2006 11:10:52 | 609002: duration of disassembly-outside local host: 193.222.224.104 0:00:10

6. August 24, 2006 11:10:52 | 302021: connection of disassembly ICMP for faddr gaddr laddr 8994/FDFR001 212.203.90.59/9 193.222.224.104/0

6. August 24, 2006 11:10:50 | 302021: connection of disassembly ICMP for faddr 193.222.224.104/0 gaddr 212.203.90.59/8 laddr FDFR001/8993

4. August 24, 2006 11:10:50 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".

6. August 24, 2006 11:10:50 | 302020: ICMP connection built for faddr gaddr laddr 8994/FDFR001 212.203.90.59/9 193.222.224.104/0

6. August 24, 2006 11:10:48 | 302021: connection of disassembly ICMP for faddr 193.222.224.104/0 gaddr 212.203.90.59/7 laddr FDFR001/8992

4. August 24, 2006 11:10:48 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".

6. August 24, 2006 11:10:48 | 302020: ICMP connection built for faddr 193.222.224.104/0 gaddr 212.203.90.59/8 laddr FDFR001/8993

6. August 24, 2006 11:10:46 | 302021: connection of disassembly ICMP for faddr 193.222.224.104/0 gaddr 212.203.90.59/6 laddr FDFR001/8991

4. August 24, 2006 11:10:46 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".

6. August 24, 2006 11:10:46 | 302020: ICMP connection built for faddr 193.222.224.104/0 gaddr 212.203.90.59/7 laddr FDFR001/8992

6. August 24, 2006 11:10:44 | 302021: connection of disassembly ICMP for faddr 193.222.224.104/0 gaddr 212.203.90.59/5 laddr FDFR001/8990

4. August 24, 2006 11:10:44 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".

6. August 24, 2006 11:10:44 | 302020: ICMP connection built for faddr 193.222.224.104/0 gaddr 212.203.90.59/6 laddr FDFR001/8991

4. August 24, 2006 11:10:42 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".

6. August 24, 2006 11:10:42 | 302020: ICMP connection built for faddr 193.222.224.104/0 gaddr 212.203.90.59/5 laddr FDFR001/8990

6. August 24, 2006 11:10:42 | 609001: built outside local host: 193.222.224.104

What could be the problem?

Thank you, Meg

It's only to predict the responses of echo at all on the external interface. If you do the following ACL on the outside, it should work...

outside_access_in list extended access permit icmp any any echo response

Problems of NAT with AnyConnect and 8.3 of the ASA

I have set up on an ASA 8.3 AnyConnect. I'm properly connect and pulling an IP from the pool that I created. The problem I have is that I'm quite see "receive" packets in the AnyConnect details. I know about the ASA 8.2 and earlier you would use a "waiver" NAT to do the translation of the identity. How is what is done with 8.3 and later?

Within 8.3 and later networks are defined as objects using groups of objects. Then, these groups of objects are referenced in the NAT statement to define both pre and post NAT (real / mapped) addresses.

network of the LOCAL_LAN object
Subnet 192.168.0.0 255.255.0.0

network of the REMOTE_LAN object
subnet 172.16.0.0 255.255.0.0

NAT static LOCAL_LAN LOCAL_LAN destination (indoor, outdoor) static source REMOTE_LAN REMOTE_LAN

Problem Cisco ASA VPN/ACL

All,

The situation is that I'm trying to initiates a connection outside a Firewall ASA, to a destination IP address that is on the remote end of a VPN tunnel looked SAA even on the external interface. So logically slow traffic is outside to outside.

The SAA is to deny the traffic that the conversation shows the source as the destination and the outside outside.

Is there something smart, that I can do on the SAA to solve this problem?

Thank you

D

Hello

Use the following command on the ASA:

permit same-security-traffic intra-interface

Kind regards

Aditya

Please evaluate the useful messages and mark the correct answers.

Problems with NAT

I have this very basic SNAT configuration.
The ERT is the the Gulf war of the 172.31.1.0/24 subnet, the VM has an IP 172.31.1.5. The external IP address of the ERT is 192.168.202.37. I can see traffic hit ERT, but no NAT rule is the table. The following two screenshots are with a ping extended to 1.1.1.1 running in the back.
No idea, I tried this in many ways and I do not see why does not.
Thank you.

Have you tried to apply the NAT rule to the 192.168.x.x instead of vNic_2 interface? Also definitely turned the firewall on the GSS?

E1000 2.1 and the xbox live NAT problem (I read all the others)

So like everyone, im having troublewith xbox live and NAT, but I feel my situation of dns is unique, so my solution is perhaps just as well. Help, please

Modem-> Router (e1000)-> port 1 (wired): xbox, wireless: mac computer

Configuration: Auto DHCP

MTU: tried 1365 and 1452, currently on 1452

UPnP: off

NAT: on

Port Range Forwarding - (tried reccomendations cisco and xbox, tried the verses of individual ports this range, currently at)

(looked in the outbreak, but as I have 2 devices, if I let a range of open ports, I want that it does match the xbox)

Application: xbox

Start port: 53

End port: 3074

Protocol: the two

IP address: 192.168.1.20

Xbox is set to:

IP: 192.168.1.20

Subnet mask: 255.255.255.0

Gateway: 192.168.1.1

DNS: automatic

reading only 1 dns (see notes)

Notes:

router port range is 100-149, so DHCP should not be a problem (I guess) if ip xbox is put out of reach ([192.168.1.20] being 20)

In my status tab in the router, it gives me only a dns. When I look at online modem, it gives 2 different DNS.

Each time, I have everything works a turn at a time, the computer always connects, Xbox Live still connects, but he still has the problem of nat.

I don't think it's a matter of double nat, bc when I look at the stats of my modem there is nowhere to configure ports (seems to be the modem only 1 Ethernet only)

Also, I noticed that the mtu of my modem is 1500 (I changed the mtu on the router, but not the mtu of my modem [it only allows me to change the mtu of my modem])

Help, please. I've been dealing with it and try different combinations of ports and options for 4-5 hours now. I'm starting to crack: S :).

Well, I found my own solution. I looked at all options as what could be easier for the components to deal with. Here's what worked:

Computer:

Configuration: Auto DHCP

MTU: 1452

UPnP: on

NAT: on

DMZ:

Source: 192.168.1.100 to 100

Destination: 192.168.1.1

Xbox:

I could leave it on auto dhcp mac address book bc but it looks like this:

IP:192.168.1.100

Subnet mask: 255.255.255.0

Gateway: 192.168.1.1

DNS: automatic

Combined with a DHCP reservation [via the mac address (for the safety of the DMZ)] all of it worked. With a DMZ, I didn't have to worry about which ports where correct. It was just messy because I was 2 devices of connection and could not choose a single static ip address. So, the example ip ending (20) was not default range of the router of 50 numbers. Pay attention to your range of ip addresses in the router settings.

* Make sure that your DMZ is on only a single or a partition of ip addresses, and you have other DHCP reservations for these ip addresses * you can find the mac address for xbox by accessing the network > configure network > additional settings > click Advanced settings, and not choose a 'different address', you should see a below *.

nat ASA 5520 problem

Hi I have a Cisco Asa 5520 and I want to vpn site-to-site by using another interface with a carrier of lan to lan, the problem is when I try to pass traffic have the syslog error to follow:

No translation not found for udp src lan2lan:10.5.50.63/44437 dst colo: biggiesmalls groups / 897

LAN to LAN service interface is called: lan2lan
one of the internal interfaces is called: colo

I think that is problem with Nat on the SAA but I need help with this.

Config:

!
interface GigabitEthernet0/0
nameif outside
security-level 0
eve of fw - ext 255.255.255.0 address IP XXaaaNNaa
OSPF cost 10
OSPF network point-to-point non-broadcast
!
interface GigabitEthernet0/1
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/1.50
VLAN 50
nameif lb
security-level 20
IP 10.1.50.11 255.255.255.0
OSPF cost 10
!
interface GigabitEthernet0/1,501
VLAN 501
nameif colo
security-level 90
eve of fw - int 255.255.255.0 172.16.2.253 IP address
OSPF cost 10
!
!
interface GigabitEthernet1/1
Door-Lan2Lan description
nameif lan2lan
security-level 0
IP 10.100.50.1 255.255.255.248
!
access extensive list ip 10.1.0.0 lan2lan_cryptomap_51 allow 255.255.0.0 object-group elo
permit access list extended ip sfnet 255.255.255.0 lan2lan_cryptomap_51 object-group elo
pager lines 24
Enable logging
host colo biggiesmalls record
No message logging 313001
External MTU 1500
MTU 1500 lb
MTU 1500 Colo
lan2lan MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ARP timeout 14400
NAT-control
Global 1 interface (external)
interface of global (lb) 1
Global (colo) 1 interface
NAT (lb) 1 10.1.50.0 255.255.255.0
NAT (colo) - access list 0 colo_nat0_outbound
NAT (colo) 1 10.1.13.0 255.255.255.0
NAT (colo) 1 10.1.16.0 255.255.255.0
NAT (colo) 1 0.0.0.0 0.0.0.0
external_access_in access to the external interface group
Access-group lb_access_in in lb interface
Access-group colo_access_in in interface colo
Access-group management_access_in in management of the interface
Access-group interface lan2lan lan2lan
!
Service resetoutside
card crypto match 51 lan2lan_map address lan2lan_cryptomap_51
lan2lan_map 51 crypto map set peer 10.100.50.2
card crypto lan2lan_map 51 game of transformation-ESP-3DES-SHA
crypto lan2lan_map 51 set reverse-road map
lan2lan_map interface lan2lan crypto card
quit smoking
ISAKMP crypto identity hostname
ISAKMP crypto enable lan2lan
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
enable client-implementation to date
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared-key xxXnnAA
tunnel-group 10.100.50.2 type ipsec-l2l
tunnel-group 10.100.50.2 General-attributes
Group Policy - by default-site2site
No vpn-addr-assign aaa
No dhcp vpn-addr-assign
Telnet timeout 5
!

The VPN is OK? ("' isakmp crypto to show his" should show a MM_Active tunnel to the peer address ")

Normally exempt us VPN site-to-site of NAT traffic. This could be your problem. If you can share your configuration, we can have a look.

p.s. you should affect the question of the security / VPN forum.

Nat SRP527W-U problem

Hello

I have nat rules for the troubled peripheral parameter SRP527W-U with the latest firmware 1.2.4 (003). The latest firmware 1.2.4 introduced the ability to create rules specific nat through "ACL policy rules. I try to use this 'new' not available in older versions to get my network configuration made. The configuration I want to do is to have two vlan different. In the vlan1 I want nat point_to_point interface and PC in the vlan2 I want to use Tar so each computer will be accessible via the public ip address.

I configured two different PVC on the device we are going to say:

ADSL_PVC0:

Encapsulation: PAI

multiplexing: LLC

type of QoS: UBR

Automatic detection VPI/VCI: disable

virtual circuit VPI:8 VCI:35

IP settings:

IP: 2.2.2.2 (it isn't my real ip address that's just an example)

subnet mask: 255.255.255.252

Gateway: 2.2.2.1

MTU: automatic

ADSL_PVC1:

Encapsulation: PPPoA

multiplexing: VC

type of QoS: UBR

Automatic detection VPI/VCI: disable

virtual circuit VPI:8 VCI:40

PPPoA settings:

user name: [email protected] / * /

past: xxxxxxx

connection: keep alive

MTU: automatic

in the Internet_setup_menu, I chose:

Default system via ADSL_PVC0 route

voice by default ADSL_PVC1 road

After that I enabled under menu interface_setup-> LAN-> VLAN_settings two different VLANS:

vlan1 (default vlan):

private_lan:

ID: 1

subscription_type: DHCP_server_pool

DHCP pool: DHCPRule_1 (VLAN1)

voice: off

Members: LAN_port1, LAN_port3, LAN_port4, SSID1

VLAN2 (vlan public):

public:

ID: 2

subscription_type: DHCP_server_pool

DHCP pool: DHCPRule_2_public_ip (VLAN2)

voice: off

Members: LAN_port2, SSID2

and I put two different rules of the DHCP:

DHCPRule_1

VLAN 1

ip address local address/subnet 192.168.1.1/24

mode DHCP: dhcp server

GW: 192.168.1.1

DNS proxy: enabled

DHCPRule_2_public_ip

VLAN 2

local ip address/subnet 3.3.3.1/27

mode DHCP: dhcp server

GW: 3.3.3.1

DNS proxy: disabled

DNS1: 8.8.8.8

After that, I put under menu network_setup-> nat-> global_nat:

address translation:

NAT: disabled

Instead, I added this policy under nat_bypass:

policy nat_lan

activated: Yes

inside the interface: vlan1

outside interface: ADSL_PVC0

IP address: 2.2.2.2/30

If I try to join a pc on the lan port 1 I am able to get the ip via DHCPRule_1 configuration I can ping 192.168.1.1 gw but I'm not able to ping 8.8.8.8.

If I try to join a pc on the lan port 2 I am able to get the ip via DHCPRule_2_public_ip configuration I ping 3.3.3.1 gw and I am ABLE to ping 8.8.8.8 and safe surfing on the web.

Side wan I am able to reach the router via the ip address different pubblic two assigned to the PVC ADSL_PVC0, ADSL_PVC1

If I try to activate the nat under global_nat of course, I am able to browse the web, and the device uses the public ip address of the pvc ADSL_PVC0 NAT 'myself. "

I tried configuration multiple times and I tried to apply many different configurations "flavor", but I'm still having trouble getting the configuration made. From my point of view, there is some sort of bug related to nat or something missing in this configuration.

Any help will be really appreciated.

Thanks in advance for your answer.

Hi Paolo,.

The default mode of operation for the RPS is to have active NAT. If the global NAT setting is disabled, then the RPS will run in mode routing only (no NAT never).

For your configuration, leave the global NAT setting as active and create a rule to bypass NAT for traffic in VLAN 2 (effectively ensure that this traffic is routed and not translated).

Rules-based routing policy allows you to set your local traffic PVC must use.

Hope that helps.

Andy

Static nat and NAT ACL 0

All,

I have nat 0 ACL indicating that an ip address should not be natted, while a static nat statement saying we need natted. I just want to know that we will have precedence.

Thank you

It is of the order of operations PIX nat / ASA.

the NAT 0 acl_name (nameif) has priority.

1 nat 0-list of access (free from nat)

2. match the existing xlates

3. match the static controls

a. static NAT with no access list

b. static PAT with no access list

4. match orders nat

a. nat [id] access-list (first match)

b. nat [id] [address] [mask] (best match)

i. If the ID is 0, create an xlate identity

II. use global pool for dynamic NAT

III. use global dynamic pool for PAT

Strange problem in IPSec Tunnel - 8.4 NAT (2)

Helloo all,.

This must be the strangest question I've seen since the year last on my ASA.

I have an ASA 5540, who runs the code of 8.4 (2) without any problem until I ran into this problem last week and I spent sleepless nights with no resolution! Then, take a deep breath and here is a brief description of my setup and the problem:

A Simple IPSEC tunnel between my 8.4 (2) ASA 5540 and a Juniper SSG 140 6.3.0r9.0 (road OS based VPN) screen

The tunnel rises without any problem but the ASA refused to encrypt the traffic but it decrypts with GLORY!

Here are a few outputs debug, see the output and a package tracer output that also has an explanation of my problem of NAT WEIRD:

my setup - (I won't get into the details of encryption tunnel as my tunnel negotiations are perfect and returns from the outset when the ASA is configured as response only)

CISCO ASA - IPSec network details

LAN - 10.2.4.0/28

REMOTE NETWORK - 192.168.171.8/32

JUNIPER SSG 140 - IPSec networks details

ID OF THE PROXY:

LAN - 192.168.171.8/32

REMOTE NETWORK - 10.2.4.0/28

Name host # sh cry counterpart his ipsec

peer address:

Tag crypto map: outside_map, seq num: 5, local addr:

outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8

local ident (addr, mask, prot, port): (10.2.4.0/255.255.255.240/0/0)

Remote ident (addr, mask, prot, port): (192.168.171.8/255.255.255.255/0/0)

current_peer:

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 72, #pkts decrypt: 72, #pkts check: 72

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

success #frag before: 0, failures before #frag: 0, #fragments created: 0

Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

#send errors: 0, #recv errors: 0

local crypto endpt. : 0, remote Start. crypto: 0

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500

current outbound SPI: 5041C19F

current inbound SPI: 0EC13558

SAS of the esp on arrival:

SPI: 0x0EC13558 (247543128)

transform: esp-3des esp-sha-hmac no compression

running parameters = {L2L, Tunnel}

slot: 0, id_conn: 22040576, crypto-card: outside_map

calendar of his: service life remaining key (s): 3232

Size IV: 8 bytes

support for replay detection: Y

Anti-replay bitmap:

0xFFFFFFFF to 0xFFFFFFFF

outgoing esp sas:

SPI: 0x5041C19F (1346486687)

transform: esp-3des esp-sha-hmac no compression

running parameters = {L2L, Tunnel}

slot: 0, id_conn: 22040576, crypto-card: outside_map

calendar of his: service life remaining key (s): 3232

Size IV: 8 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

CONTEXTS for this IPSEC VPN tunnel:

# Sh asp table det vpn context host name

VPN CTX = 0x0742E6BC

By peer IP = 192.168.171.8

Pointer = 0x78C94BF8

State = upwards

Flags = BA + ESP

ITS = 0X9C28B633

SPI = 0x5041C19D

Group = 0

Pkts = 0

Pkts bad = 0

Incorrect SPI = 0

Parody = 0

Bad crypto = 0

Redial Pkt = 0

Call redial = 0

VPN = filter

VPN CTX = 0x07430D3C

By peer IP = 192.168.1.8

Pointer = 0x78F62018

State = upwards

Flags = DECR + ESP

ITS = 0X9C286E3D

SPI = 0x9B6910C5

Group = 1

Pkts = 297

Pkts bad = 0

Incorrect SPI = 0

Parody = 0

Bad crypto = 0

Redial Pkt = 0

Call redial = 0

VPN = filter

outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8

NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search

network of the Ren - around object

subnet 10.2.4.0 255.255.255.240

network of the host object counterpart

Home 192.168.171.8

HS cry ipsec his

IKE Peer:

Type: L2L role: answering machine

Generate a new key: no State: MM_ACTIVE

output packet tracer extracted a packet transmitted by the network of 10.2.4.0/28 to 192.168.171.8 host

Phase: 7

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0x7789d788, priority = 70, domain = encrypt, deny = false

Hits = 2, user_data is0x742e6bc, cs_id = 0x7ba38680, reverse, flags = 0 x 0 = 0 protocol

IP/ID=10.2.4.0 SRC, mask is 255.255.255.240, port = 0

IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0

input_ifc = none, output_ifc = external

VPN settings corresponding to the encrytpion + encapsulation and the hits here increment only when I run a test of tracer from my host on the remote peer inside package.

A tracer complete package out for a packet of the 10.2.4.1 255.255.255.255 network to host 192.168.171.8:

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit rule

Additional information:

Direct flow from returns search rule:

ID = 0x77ebd1b0, priority = 1, domain = allowed, deny = false

hits = 3037156, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8

Mac SRC = 0000.0000.0000, mask is 0000.0000.0000

DST = 0000.0000.0000 Mac, mask is 0100.0000.0000

input_ifc = output_ifc = any to inside,

Phase: 2

Type:-ROUTE SEARCH

Subtype: entry

Result: ALLOW

Config:

Additional information:

in 192.168.171.0 255.255.255.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0x77ec1030, priority = 0, sector = inspect-ip-options, deny = true

hits = 212950, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0

IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0

input_ifc = output_ifc = any to inside,

Phase: 4

Type:

Subtype:

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0x7c12cb18, priority = 18, area = import-export flows, deny = false

hits = 172188, user_data = 0x78b1f438, cs_id = 0 x 0, use_real_addr, flags = 0 x 0,

IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0

IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0

input_ifc = output_ifc = any to inside,

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search

Additional information:

Definition of static 10.2.4.1/2700 to 10.2.4.1/2700

Direct flow from returns search rule:

ID = 0x77e0a878, priority = 6, area = nat, deny = false

hits = 9, user_data is 0x7b7360a8, cs_id = 0 x 0, use_real_addr, flags = 0 x 0, proto

IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0

IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0

input_ifc = inside, outside = output_ifc

(it's the weird NAT problem I see. I see the number of hits is increment only when I run the packet tracer understands even I have pings (traffic) the 192.168.171.8 constant welcomes the 10.2.4.1/28)-s'il please see the package I pasted after the capture section)

Phase: 6

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0x7b8751f8, priority = 70, domain = encrypt, deny = false

hits = 3, user_data = 0x7432b74, cs_id = 0x7ba38680, reverse, flags = 0 x 0, proto

IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0

IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0

input_ifc = none, output_ifc = external

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional information:

Reverse flow from returns search rule:

ID = 0x78b0c280, priority = 69 = ipsec-tunnel-flow area, deny = false

hits = 154, user_data is 0x7435f94, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

IP/ID=192.168.171.8 SRC, mask is 255.255.255.255, port = 0

IP/ID=10.2.4.1 DST, mask is 255.255.255.240, port = 0, dscp = 0 x 0

input_ifc = out, output_ifc = any

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Reverse flow from returns search rule:

ID = 0x77e7a510, priority = 0, sector = inspect-ip-options, deny = true

hits = 184556, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0

IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0

input_ifc = out, output_ifc = any

Phase: 9

Type: CREATING STREAMS

Subtype:

Result: ALLOW

Config:

Additional information:

New workflow created with the 119880921 id, package sent to the next module

Information module for forward flow...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Information for reverse flow...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input interface: inside

entry status: to the top

entry-line-status: to the top

output interface: outside

the status of the output: to the top

output-line-status: to the top

Action: allow

Hostname # sh Cap A1

8 packets captured

1: 12:26:53.376033 192.168.10.252 > 10.2.4.1: icmp: echo request

2: 12:26:53.376597 10.2.4.1 > 192.168.10.252: icmp: echo reply

3: 12:26:56.487905 192.168.171.8 > 10.2.4.1: icmp: echo request

4: 12:27:01.489217 192.168.171.8 > 10.2.4.1: icmp: echo request

5: 12:27:03.378245 192.168.10.252 > 10.2.4.1: icmp: echo request

6: 12:27:03.378825 10.2.4.1 > 192.168.10.252: icmp: echo reply

7: 12:27:06.491597 192.168.171.8 > 10.2.4.1: icmp: echo request

8: 12:27:11.491856 192.168.171.8 > 10.2.4.1: icmp: echo request

8 packets shown

As you can see, there is no echo response packet at all because the package may not be wrapped while he was sent to.

I'm Karen with it. In addition, he is a firewall multi-tenant live production with no problems at all outside this for a Juniper ipsec tunnel!

Also, the 192.168.10.0/24 is another remote network of IPSec tunnel to this network of 10.2.4.0/28 and this IPSEC tunnel has a similar Juniper SSG 140 screen os 6.3.0r9.0 at the remote end and this woks like a charm with no problems, but the 171 is not be encrypted by the ASA at all.

If someone could help me, that would be greatt and greatly appreciated!

Thanks heaps. !

Perfect! Now you must find something else inside for tomorrow--> forecast rain again

Please kindly marks the message as answered while others may learn from it. Thank you.

Need help, a problem with IPSec and NAT - T

We had a successful between a Cisco remote access client and the ASA connection. The connection is more data transfer, but the Phase I and Phase II complete successfully. There are several sections between separate networks for the remote user to the ASA, including hotlines of Verizon and Verizon's ISP.

Troubleshooting Cisco guides strongly suggests, it is a problem of NAT - T, but when I turn on debugging 254 isakmp and debug ipsec 254, I get only a modest messages on NAT - T, which is "Recieved NAT-Traversal version 02 VID. This message and connections, are when I disabled it on the ASA of NAT - T.

If I enable NAT - T on the SAA, the remote client cannot establish Phase I or II; I was not able to gather debugs on this scenerio yet.

The customer has a second laptop, both of them experience the same problem. We have ensured that the Tunneling, UPD 4500 is activated.

I suspect that an intermediary device or Verizon, changed something.

What should be my next troubleshooting (unfortunately, I can't post the configs)?

Kind regards

j

From my very limited experience, both sides must have the NAT - T enabled, otherwise the side who did not need NAT - t won't be able to read the part of the IP header because it is encrypted.

Good luck!

Pedro

NAT VPN

I'm havening problems with NAT over VPN. with current configs below it will complete the first phase of the tunnel and then stop because the ip address is not natted. If I put a permit in the statement of the permits it will be nat to internet host, but not via the vpn. If I put in a static nat statement it will nat and attempt to create a tunnel but I get the error (increment the count of errors on his, try 1 5: retransmit the phase 1)

version 12.3

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

hostname BatsVpnRouter

!

boot-start-marker

start the system flash c1700-k9o3sy7 - mz.122 - 13.T.bin

boot-end-marker

!

no console logging

Select the secret xxx

activate the password xxx

!

MMI-60 polling interval

No mmi self-configuring

No pvc mmi

MMI snmp-timeout 180

No aaa new-model

no ip subnet zero

!

IP cef

Max-events of po verification IP 100

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

ISAKMP crypto key xxx address 190.0.0.1

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac bats

!

bats_map 2 ipsec-isakmp crypto map

defined by peer 190.0.0.1

transformation-BALD-MOUSE game

-More - match address BATSACL

!

!

!

interface Ethernet0

IP address 11.0.x.x.255.255.224

NAT outside IP

full-duplex

bats_map card crypto

!

interface FastEthernet0

IP 192.168.1.2 255.255.255.0

IP nat inside

Speed 100

full-duplex

!

IP nat inside source list bats-nat interface Ethernet0 overload

IP classless

IP route 0.0.0.0 0.0.0.0 11.0.0.1

no ip address of the http server

no ip http secure server

!

BATSACL extended IP access list

permit ip host 11.0.0.5 200.0.0.1

192.168.1.100 ip permit host 200.0.0.1

permit ip host 11.0.0.5 200.0.0.2

192.168.1.100 ip permit host 200.0.0.2

permit ip host 11.0.0.5 200.0.0.3

192.168.1.100 ip permit host 200.0.0.3

IP extended access-list of the bats-nat

permit log host 200.0.0.1 host 192.168.1.100 ip

192.168.1.100 ip permit host 200.0.0.2

192.168.1.100 ip permit host 200.0.0.3

!

public RO SNMP-server community

Enable SNMP-Server intercepts ATS

alias exec clip claire rou ip *.

alias exec crs copy run start

alias exec deb187 debug ip pack det 187

alias exec ospfnei sh ip ospf nei

alias exec ship sho ip route

alias exec shr sho run

alias exec Ibis show ip brief inter

alias exec ip sip sho pro

alias exec tr traceroute

alias exec ss sho sess

sho alias exec sl online

alias exec cl clear line

!

Line con 0

line to 0

line vty 0 4

password xxx

opening of session

Ok. You must make sure that the ACl:s are the same (but in reverse) on both sides, which means that you probably need to remove a few lines on the Router 1. The ACL should look like this:

BATSACL extended IP access list

permit ip host 11.0.0.5 200.0.0.1

permit ip host 11.0.0.5 200.0.0.2

permit ip host 11.0.0.5 200.0.0.3

Remove the keyword "log" of this line:

IP extended access-list of the bats-nat

permit log host 200.0.0.1 host 192.168.1.100 ip

OK, now you've cleaned it, trying to make appear the tunnel again, try it with 200.0.0.1 and 200.0.0.2.

Then, check the remote debugging.

Problem of NAT or ACL?

Similar Questions

Maybe you are looking for