Question of VPN traffic

Well, this happens to be the strangest thing I've seen. Here is the configuration. I have a Pix 515e firewall. I have setup VPN on my users can connect remotely from across the country.

I have a set of users who can not connect. Let me be clear. The VPN client connects, we give them an IP address by the firewall, but they cannot send traffic over the tunnel. I tried ping all of the inside interface of the firewall to the servers behind it and nothing. Now, all of the users who do not work all exist in the same location, current running on the same network and behind their firewall. And they worked until a week ago. Their provider said it has not changed anything on his firewall and I know that I have not changed anything on my own. So, any help would be greatly appreciated.

Pls turn on nat-traversal on your PIX Firewall:

ISAKMP nat-traversal crypto

That would incorporate the ESP in UDP/4500. Looks like it fails because that behind the NAT device to that particular place.

Hope that helps.

Tags: Cisco Security

Similar Questions

  • Questions of VPN tunnel

    People,

    You can help me understand how I can fix the following issues I have with a 1721 router (Version 12.3 (8) T5) and client VPN 4.6.01.x please.

    BTW, the server at 192.168.3.2 is a file, DNS, WINS server and proxy for the LAN environment. All the staff of the PC is required to use the proxy but visitors on the 192.168.2.0 network can access the internet directly.

    Back to my questions. I have the obligation to set up a VPN tunnel to connect to a PC that is running Terminal Server services / remote desktop on a PC to 192.168.1.9. When running the VPN software on the laptop I get a login prompt and everything seems fine. I ping the addresses of router and that works.

    But the three things I don't understand:

    1. I can't telnet with great success to the loopback address of the router, as well as other addresses 192.168.x.x. very well, but why is it possible that I can telnet to the 192.168.4.1 loopback address?

    2. I can't DRC to the server on 192.168.3.2. The server can (and) accepts connections on a subnet, I created the network of 192.168.6.x I put up as VLAN6 on SEA4 (the port of spare on the map of ether 4 ports). The only thing I did not in the configuration of the interface was the nat ip within the statement.

    3. I can't do a nslookup through the tunnel VPN (delays all the time) and neither can I http to the IIS server on the same 192.168.3.2 box. What I mean here is that other applications seem to work except telnet!)

    Then...:

    Why the telnet is so special? I thought that if I could telnet to the router, then I should be able to access the server. And before ask you, there is no firewall or whatever it is executed on the server by stopping this stupid connections. Hey, I'm the guy from router, not the jockey of server!

    I've managed to misinterpret the statement "corresponds to the address 105" in the cryptomap? The ACL would reflect the traffic flow both ways?

    I should have a statement of hash in the section of "crypto isakmp policy 5. The client indicates that the connection is OK then why should I need it?

    I appreciate your time to help. I was scratching my head a lot in the last two days.

    Timothy

    Your NAT config, it is what kills you here. You can telnet to the router interface, because then the NAT configuration does not take effect (because NAT doesn't happen for passing traffic THROUGH the router, FOR her). You must refuse the IPSec traffic to be NAT would have, otherwise, it does not match the encryption access list and is not encrypted on the way back.

    Your 100 access list is incorrect, remove it and add in the following:

    access-list 100 deny ip 192.168.0.0 0.0.255.255 192.168.5.0 0.0.0.255

    access-list 100 permit ip 192.168.0.0 0.0.255.255 everything

    That said NAT VPN traffic does 192.168.5.0, but NAT do it if he goes anywhere else (Internet).

    Also, you seem to have defined a map static encryption for your customer traffic, it is not used and may cause you problems with the list of access-105. Follow these steps to get rid of it and just use the dynamic encryption card:

    no card crypto clientmap 1

    You just need to have dynamic instance map (number 20) crypto left in your config file.

  • Configuration of the router to allow VPN traffic through

    I would like to ask for assistance with a specific configuration to allow VPN traffic through a router from 1721.

    The network configuration is the following:

    Internet - Cisco 1721 - Cisco PIX 506th - LAN

    Remote clients connect from the internet by using the Cisco VPN client. The 1721 should just pass the packets through to the PIX, which is 192.168.0.2. Inside of the interface of the router is 192.168.0.1.

    The pix was originally configured with a public ip address and has been tested to work well to authenticate VPN connections and passing traffic in the local network. Then, the external ip address was changed to 192.168.0.2 and the router behind.

    The 1721 is configured with an ADSL connection, with fall-over automatic for an asynchronous connection. This configuration does not work well, and in the local network, users have normal internet access. I added lists of access for udp, esp and the traffic of the ahp.

    Cisco VPN clients receive an error indicating that the remote control is not responding.

    I have attached the router for reference, and any help would be greatly apreciated.

    Manual.

    Brian

    For VPN clients reach the PIX to complete their VPN the PIX needs to an address that is accessible from the outside where the customers are. When the PIX was a public address was obviously easy for guests to reach the PIX. When you give the PIX one address private, then he must make a translation. And this becomes a problem if the translation is dynamic.

    You have provided a static translation that is what is needed. But you have restricted the TCP 3389. I don't know why you restricted it in this way. What is supposed to happen for ISAKMP and ESP, AHP traffic? How is it to be translated?

    If there is not a static translation for ISAKMP traffic, ESP and AHP so clients don't know how to reach the server. Which brings me to the question of what the address is configured in the client to the server?

    HTH

    Rick

  • 7.2 ASA5520 - filters VPN traffic

    Hi all,

    I would like to know how can I filter out VPN traffic with a list of access, by using the source address and port of destination as filters.

    I tried with "no sysopt permit vpn connection" but it is to filter the traffic through the VPN tunnel and I want to filter the host which can establish the VPN tunnel.

    I did it in a router with this access list:

    Note access-list 101 VPN

    access-list 101 permit ahp host x.x.x.x everything

    access-list 101 permit esp host x.x.x.x any newspaper

    access-list 101 permit host x.x.x.x esp all

    access-list 101 permit udp host x.x.x.x any eq isakmp

    access-list 101 permit udp host x.x.x.x any eq non500-isakmp

    But I tried the same thing in the ASA and does not work, I think it's because the ASA does not apply the access list for VPN traffic.

    Sincerely, Fernando.

    Fernando

    You can disable it with "no crypto isakmp are outside", but then even if you apply an acl to the outside which allows all IP, ESP, AH it still does not allow an IPSEC connection.

    So for the moment I see no way to do this without using an acl on your router upstream.

    I'll do a reading just in case I missed something.

    Jon

  • Capture packets for VPN traffic

    Hi team,

    Please help me to set the ACL and capture for remote access VPN traffic.

    To see the amount of traffic flows from this IP Source address.

    Source: Remote VPN IP (syringe) 10.10.10.10 access

    Destination: any

    That's what I've done does not

    extended VPN permit tcp host 10.10.10.10 access list all

    interface captures CAP_VPN VPN access to OUTSIDE gross-list data type

    Hello

    If you have configured capture with this access list, you filter all TCP traffic, so you will not be able to see the UDP or ICMP traffic too, I would recommend using the ACL, although only with intellectual property:

    list of allowed extended VPN ip host 10.10.10.10 access everything

    Capture interface outside access, VPN CAP_VPN-list

    Then with:

    See the capture of CAP_VPN

    You will be able to see the packet capture on the SAA, you can export the capture of a sniffer of packages as follows:

      https:// /capture//pcap capname--> CAP

    For more details of capture you can find it on this link

    Let me know if you could get the information that you were trying to achieve.

    Please Don t forget to rate and score as correct the helpful post!

    David Castro,

    Kind regards

  • NAT on the VPN traffic

    Hello everyone, I need help in a vpn configuration, this is the problem that I need nat all vpn traffic because I net to put into place a vpn but I already have another vpn with the same network, so that overlap with the new one, then how I can nat overlaps all traffic to another network in order to avoid the network?.

    Please I really need help

    Thank you

    You say that the 192.168.1.100 is able to go through the tunnel and the internet now?

    Try to add another...

    IP nat inside source static 192.168.1.101 10.10.44.101 map route VPN

    for example.

    Federico.

  • ASA encrypt interesting VPN traffic

    Hello everybody out there using ASA.

    I had a few IPSEC VPN tunnels between the company's central site and remote sites.

    Two dsl lines were connected to the ASA, one for VPN traffic and the other for the internet.

    The default gateway has been configured online internet, some static while insured roads as traffic to the sites of the company was sent through the other line.

    A few days ago we changed the configuration of ASA to use only a single dsl connection, then the line serving the internet has been cut, while the other will become the gateway default and static routes have been removed.

    The VPN connections instant stopped working and trying to send packets to the remote lan, it seems that ASA will not recognize that the traffic is encrypted. Obviousely we checked cryptomap, acl, ecc, but we find no problem... do you have any suggestions?

    Thanks in advance,

    Matt

    -----------------------------------------------------------------------------------------------------------------------------------------------------------------

    XNetwork object network
    10.10.0.0 subnet 255.255.255.0

    network of the YNetwork object
    172.0.1.0 subnet 255.255.255.0

    card crypto RB1ITSHDSL001_map2 1 corresponds to the address RB1ITSHDSL001_1_cryptomap
    card crypto RB1ITSHDSL001_map2 1 set peer a.b.c.186
    RB1ITSHDSL001_map2 1 transform-set ESP-3DES-SHA crypto card game

    RB1ITSHDSL001_1_cryptomap list extended access permitted ip XNetwork object YNetwork

    -------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Hello

    Your exit the ASA must be encrypting the traffic between XNetwork and YNetwork.

    If the ASA does not encrypt this traffic, it could be because there is a problem with the NAT configuration.

    When the ASA receives a packet, it must first check if there are ACLs that allows traffic, passes through the inspection engine and check that the associated NAT. For example, if the package is coordinated, then the private IP encryption will never take place.

    Could ensure you that packets from the XNetwork are really reach the ASA, the NAT rule is correct and you may be looking for "debugging cry isa 127" and "scream ips 127" debug to check for errors of incompatibility.

    In addition, what is the condition of the tunnel trying to communicate: "sh cry isa his"

    Federico.

  • VPN needs access to all external internal vpn traffic traffic all in tunnel

    Hello

    Could someone help me find the problem?

    I am ASA configuration as firewall + vpn server, essentially outside of the device's access T1 (there are two VLANS in inside via an iptables, outside of iptables is on the same vlan as insdie of ASA (192.168.5.1 and 192.168.5.2).)  VPN users are authenticated via authentication 2 factors (SDI, ip is 192.168.5.5) and get the ACL by local database.  pool of VPN is 192.168.6.1 - 192.168.6.15. pool of VPN is coordinated to the external IP address

    trying to access a remote host A from the host a is open for the IP and one specific Protocol. all vpn traffic are in the tunnel. the VPN user can connected and ACL vpnuser1_ONLY not working does not as expected.

    Here is the part of configuration:

    ASA Version 8.2 (2)
    ...........

    Route outside 0.0.0.0 0.0.0.0 xx.10.194.193 1

    Route inside companynet1 255.255.255.0 192.168.5.2 1

    Route inside companynet2 255.255.255.0 192.168.5.2 1

    Route inside companynet3 255.255.255.0 192.168.5.2 1

    Route inside companynet4 255.255.255.0 192.168.5.2 1

    ...............

    Route inside companynetn 255.255.255.0 192.168.5.2 1


    NAT (inside) 4 vpnpool 255.255.255.0 outside   <--------- is="" this="">

    Global (outside) 4 xx.10.194.238 netmask 255.255.255.255

    Split-tunnel-policy tunnelall

    .....................

    vpnuser1_ONLY list extended access permitted tcp vpnpool 255.255.255.0 192.168.1.28 host 255.255.255.255 eq ssh connect

    vpnuser1_ONLY list extended access permitted tcp vpnpool 255.255.255.0 74.2.23.195 host 255.255.255.255 eq ssh connect

    ............

    enable SVC

    tunnel-group-list activate

    attributes of Group Policy DfltGrpPolicy

    VPN - connections 8

    VPN-idle-timeout 10

    VPN-session-timeout 60

    Protocol-tunnel-VPN l2tp ipsec

    WebVPN

    SVC Dungeon - install any

    time to generate a new key of SVC 8

    SVC generate a new method ssl key

    SVC request no svc default

    internal GroupPolicy1 group strategy

    attributes of Group Policy GroupPolicy1

    VPN - connections 1

    VPN-idle-timeout 9

    VPN-session-timeout 45

    VPN-tunnel-Protocol svc

    Split-tunnel-policy tunnelall

    WebVPN

    SVC Dungeon - install any

    time to generate a new key of SVC 15

    SVC generate a new method ssl key

    client of dpd-interval SVC 30

    dpd-interval SVC 30 bridge

    value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. For more information, contact your COMPUTER administrator.

    disable the SVC routing-filtering-ignore

    username vpnuser1 encrypted password xxxxxxx

    username vpnuser1 attributes

    VPN-group-policy GroupPolicy1

    VPN-idle-timeout 6

    VPN-session-timeout 20

    VPN-filter value vpnuser1_ONLY

    VPN-tunnel-Protocol svc

    value of group-lock COMAVPN

    type of remote access service

    tunnel-group DefaultRAGroup webvpn-attributes

    Disable group companyvpn aliases

    type tunnel-group COMAVPN remote access

    attributes global-tunnel-group COMAVPN

    address (inside) vpnpool pool

    address vpnpool pool

    SDI Group-authentication server

    authentication-server-group (inside) SDI

    LOCAL authority-server-group

    Group Policy - by default-GroupPolicy1

    tunnel-group COMAVPN webvpn-attributes

    activation of the Group companyremote alias

    I did anything wrong / missing?

    Thank you

    Yijun


    First of all, you can set "no nat-control" because once you have relieved of NAT, 'no nat-control' becomes disable anyway. 'No nat-control' is useful if you have no statement of NAT at all on the interface.

    Second, if you can't access the outside inside which is because you must configure the NAT exemption. Not sure if you have configured it.

    Here's the command:

    access-list allowed sheep ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

    NAT (inside) 0 access-list sheep

    You can then add all other subnets that are internal to the ACL sheep if you need VPN access.

    Finally, for the error message deny on access-group "OUTSIDE", you would need check if you have configured "sysopt connection VPN-enabled'. If it is disabled, it will also check the "OUTSIDE" interface for VPN traffic.

  • VPN traffic via a secondary access provider

    Hello world

    I have been asked by a client to implement this topology:

    where:

    ISP 1 is used as primary internet connection.

    2 ISP will be used to connect remote users by IPsec VPN.

    Currently, I'm not looking for the Active/Backup feature, I need to know if I can use both ISP connections (as I've written before) an ISP for the Internet company and the other for the user remote access VPN.

    I read some post where, said, it's possible, but I want to be sure.

    Kind regards

    Jose

    ASA must add the static route in the routing table automatically when the VPN client is connected. So, in general, you don't need to do anything. But if not, you can just manually configure who will forward a VPN client IP packet to ISP2.

    With respect to NAT, in general, VPN traffic must ignore the NAT. You can use "nat (inside_interface_name) 0-list of access ' with an ACL that define the vpn traffic to do so.

  • WSA issue with MS-OUTLOOK and VPN traffic

    Hi all

    I am facing a problem where

    1. my users are able to access their mail from the web page, but ms-outlook is not able to synchronize e-mail.

    2. our internal user to an external site via VPN, the user is able to establish the VPN connection, but the web page user tries to gain access to via VPN is not available. I can see traffic from the user to WSA in the firewall, but the traffic of WSA is not forward traffic after that.

    Please suggest. As it is new, I needmore helps everyone.

    Run the command grep in WSA CLI to get the corresponding access logs to see the behavior of the ASO at demand management.

    Grep, access connects for a starter, SSH to the ASO and run the following command from the CLI:

    1 Grep
    2. Enter the number of the journal you want to grep: 1 (for accesslogs)
    3. Enter the regular expression to grep: . *.
    4. do you want the search to be case insensitive? : Y
    5. do you want to tail the logs? : Y
    6. you want to paginate output? : N

    Please keep in mind WSA is passively receiving the traffic and please ensure those kind of traffic will be sent to ASO before confirm us that it of a WSA question or not.

  • Monitoring of VPN traffic

    If a user connects using the AnyConnect client, and then connects via RDP to an internal Windows machine, I'd be able to see all traffic via syslog from the RDP session?  I can see the client login, auth, DHCP, then the port 3389 in order to connect to the internal area of Windows, but only once the connection on port 3389 traffic (and subsequent termination of the VPN session at the request of the user).  It seems that there is a kind of traffic through the ASA to the VPN client, at least at the level of the presentation layer.  Asked me to look at this to determine if a person was actually connected and work or if they have just connected to make it look like they were doing their job.

    Also, in the same sense - is there a difference shown when a session ends for max of the session and a user actually disconnection?  The reason why I ask this question is the above user has been connected for exactly 12 hours, which is the Max connection time (720 minutes), but the newspaper it says was by the request of the user.  My guess is that it was a max session timeout but I have to be positive about that.

    Thanks in advance...

    If the RDP user in a device, the activity that takes place during the RDP session would be from this device to other applications. When you're talking about syslog, I guess you see syslog messages when the RDP box creates an outgoing link or other subnet that goes through the ASA and ASA sends syslog messages?

    If you want to see activity in the RDP session, you need check the outbound RDP host connection, and for the SAA trigger and send syslog, traffic from the host RDP must pass through the ASA.

    Example:

    Connect to it via RDP 192.168.1.5 and AnyConnect.

    If you want to check the activities, you will need to check if 192.168.1.5 launches all connections.

    In regards to the max session disconnects, can you please share the syslog message which specifies that.

    Hope that helps.

  • On the Question of VPN S2S source NAT

    Currently we have a number of implementation of VPN with various clients.  We are NAT'ing range them at a 24 in our network to keep simple routing, but we seek to NAT Source our resources due to security problems.  It is an example of a current virtual private network that we have configured:

    outside_map crypto card 5 corresponds to the address SAMPLE_cryptomap

    outside_map 5 peer set 99.99.99.99 crypto card

    card crypto outside_map 5 set ikev1 transform-set ESP-3DES-MD5 SHA-ESP-3DES

    card crypto outside_map 5 the value reverse-road

    SAMPLE_cryptomap list extended access permitted ip object-group APP_CLIENT_Hosts-group of objects CLIENT_Hosts

    NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

    the APP_CLIENT_Hosts object-group network

    network-object, object SITE1_APP_JCAPS_Dev_VIP

    network-object, object SITE1_APP_JCAPS_Prod_VIP

    network-object, object SITE2_APP_JCAPS_Dev_Host

    network-object, object SITE2_APP_JCAPS_Prod_VIP

    network-object, object SITE1_APP_PACS_Primary

    network of the SITE1_APP_JCAPS_Dev_VIP object

    Home 10.200.125.32

    network of the SITE1_APP_JCAPS_Prod_VIP object

    Home 10.200.120.32

    network of the SITE2_APP_JCAPS_Dev_Host object

    Home 10.30.15.30

    network of the SITE2_APP_JCAPS_Prod_VIP object

    Home 10.30.10.32

    network of the SITE1_APP_PACS_Primary object

    Home 10.200.10.75

    network of the CLIENT_Host_1 object

    host of the object-Network 192.168.15.100

    network of the CLIENT_Host_2 object

    host of the object-Network 192.168.15.130

    network of the CLIENT_Host_3 object

    host of the object-Network 192.168.15.15

    network of the CLIENT_Host_1_NAT object

    host of the object-Network 10.200.192.31

    network of the CLIENT_Host_2_NAT object

    host of the object-Network 10.200.192.32

    network of the CLIENT_Host_3_NAT object

    host of the object-Network 10.200.192.33

    My question revolves around the Source NAT configuration.  If I understand correctly, I have to configure 3 statements of NAT per NAT Source since there are three different destinations that are NAT' ed.  I think I would need to add this:

    network of the SITE1_APP_JCAPS_Dev_VIP_NAT object

    Home 88.88.88.81

    network of the SITE1_APP_JCAPS_Prod_VIP_NAT object

    Home 88.88.88.82

    network of the SITE2_APP_JCAPS_Dev_Host_NAT object

    Home 88.88.88.83

    network of the SITE2_APP_JCAPS_Prod_VIP_NAT object

    Home 88.88.88.84

    network of the SITE1_APP_PACS_Primary_NAT object

    Home 88.88.88.85

    NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

    Is that correct, or is at - it an easier way to do this without having to add all statements of NAT?  Moreover, any change would be to do on the access list?

    Hello

    To my knowledge you should not create several new instructions from NAT. You should be well just create a new Group 'object' for new addresses your source address NAT.

    To better explain, take a look at your current ' object-group ' that defines your source addresses

    the APP_CLIENT_Hosts object-group network

    network-object, object SITE1_APP_JCAPS_Dev_VIP

    network-object, object SITE1_APP_JCAPS_Prod_VIP

    network-object, object SITE2_APP_JCAPS_Dev_Host

    network-object, object SITE2_APP_JCAPS_Prod_VIP

    network-object, object SITE1_APP_PACS_Primary

    Now you can do this sets up a "object-group" that contains a NAT IP address for each of the IP addresses inside the ' object-group ' and 'object' used above. The IMPORTANT thing is that the ' object-group ' that contains the NAT IP addresses is in the SAME ORDER as the actual source addresses.

    I mean, this is the first IP address is in most object - group ' will correspond to the first IP address in the newly created "object-group" for the IP NAT addresses.

    As above, you can simply have the same "nat" configurations 3 as before but you change/add in the newly created "object-group"

    For example, you might do the following

    network of the SITE1_APP_JCAPS_Dev_VIP_NAT object

    Home 88.88.88.81

    network of the SITE1_APP_JCAPS_Prod_VIP_NAT object

    Home 88.88.88.82

    network of the SITE2_APP_JCAPS_Dev_Host_NAT object

    Home 88.88.88.83

    network of the SITE2_APP_JCAPS_Prod_VIP_NAT object

    Home 88.88.88.84

    network of the SITE1_APP_PACS_Primary_NAT object

    Home 88.88.88.85

    the APP_CLIENT_Hosts_NAT object-group network

    network-object, object SITE1_APP_JCAPS_Dev_VIP_NAT

    network-object, object SITE1_APP_JCAPS_Prod_VIP_NAT

    network-object, object SITE2_APP_JCAPS_Dev_Host_NAT

    network-object, object SITE2_APP_JCAPS_Prod_VIP_NAT

    network-object, object SITE1_APP_PACS_Primary_NAT

    Then you add the following configurations of "nat"

    NAT (inside, outside) 1 static source APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

    Static NAT APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT static destination CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of source route 2 (inside, outside)

    NAT 3 (indoor, outdoor) static source APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

    Note line numbers, we added the above commands. This allows them to enter the upper part of the ASAs NAT rules, and therefore, they will become active immediately. Without line numbers that they will only be used after when you remove the old lines.

    Then you can remove the "old"

    no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination

    no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination

    no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination

    This should leave you with 3 configurations "nat" who made the NAT source addresses and destination.

    Naturally while you perform this change you will also have to change the ACL Crypto to match the new source NAT. This is because as all NAT is done before any VPN on the ASA. So the destination addresses are Nations United for before VPN and source addresses are translated before VPN.

    If you do not want to make the changes without affecting the connections too so I suggest

    • Add rules to the ACL Crypto for new addresses (NAT) source. Of course, this must be done on both sides of the VPN L2L. You would still be leaving the original configurations to the Crypto ACL does not not the functioning of the L2L VPN.
    • Add new configurations of "nat" above without the line numbers I mentioned who mean you that they wont be used until you remove the "old".
    • When you are ready to be migrated to use the new IP addresses, simply remove the original "nat" configurations and the ASA will start the corresponding traffic for new "nat" configurations. Provided of course that there is no other "nat" configuration before the nine that could mess things up. This should be verified by the person making the changes.

    Of course if you can afford a small cut when then changing the order in which you do things should not matter that much. In my work, that connections are usually not that critical that you can't make these changes almost at any point as it is a matter of minutes what it takes to make changes.

    Hope this made sense and helped

    Remember to mark a reply as the answer if it answered your question.

    Feel free to ask more if necessary.

    -Jouni

  • Best way to filter out VPN traffic

    We set up a VPN tunnel with a vendor and I want to not allow Pings and a specific port. I thought you could do that through the card encryption on the ASA 5510 but looks it must allow all IP traffic, and then you filter by using a filter of VPN? Which requires a parameter default sysopt change. Don't I have that right? Am I overthinking this? My VPN tunnels are normally in other areas of society I want to all IP traffic.

    Thank you!

    Hello

    No, they are not directly related to eachother.

    You can use the VPN filter without touching the "sysopt" configuration.

    Rather than configuring separate ACL (which uses a different logic depending on the format) for each VPN I prefer to put "no sysopt permit vpn connection" and filter incoming connections running through VPN connections on the 'external' ACL interface like any traffic coming from behind ' outside ' interface.

    Here is the link to the information custom "sysopt".

    http://www.Cisco.com/en/us/docs/security/ASA/command-reference/S21.html#wp1567918

    Hope this helps

    Remember to mark a reply as the answer if it answered your question.

    Feel free to ask more if necessary.

    -Jouni

  • NATting for VPN traffic only

    I have a client with an ASA 5505 who has several networks, he tries to communicate via a VPN tunnel with a desktop remotely. One of the networks does not work because it is also used on the other side of the tunnel management interface, and none of both sides seem ready to re - IP their interior space.

    Their proposed solution is to NAT the contradictory network on this side to a different subnet firewall before passing through the tunnel. How to implement a NAT which only uses the VPN tunnel while the rest of the traffic that comes through this device of the United-NATted Nations?

    The network in question is 192.168.0.0/24. Their target you want the NAT is 172.16.0.0/24. Config of the SAA is attached.

    Hello

    Basically, the political dynamic configuration PAT should work to connect VPN L2L because the PAT political dynamics is processed before PAT/NAT dynamic configurations.

    Only NAT configurations that can replace this dynamic NAT of the policy are

    • NAT0 / exempt NAT configuration
    • Strategy static NAT/PAT
    • Public static NAT/PAT

    And because we have determined that the only problem is with the network 192.168.0.0/24 and since there is no static configuration NAT/PAT or static policy NAT/PAT, then PAT political dynamics should be applied. Unless some configurations NAT0 continues to cause problems.

    The best way to determine what rules are hit for specific traffic is to use the command "packet - trace" on the SAA

    Packet-trace entry inside tcp 192.168.0.100 12345 10.1.7.100 80

    For example to simulate an HTTP connection at random on the remote site

    This should tell us for example

    • Where the package would be sent
    • He would pass the ACL interface
    • What NAT would be applied
    • It would correspond to any configuration VPN L2L
    • and many others

    Then can you take a sample output from the command mentioned twice and copy/paste the second result here. I ask get exit twice because that where the actual VPN L2L negotiations would go through the first time that this command would only raise the L2L VPN while the second command could show already all the info of what actually passed to the package simulated.

    In addition, judging by the NAT format you chose (political dynamics PAT), I assume that only your site connects to the remote site? Given that the political dynamics PAT (or dynamic PAT) normal does not allow creating a two-way connection. Connections can be opened that from your site to the remote site (naturally return traffic through automatically because existing connections and translations)

    -Jouni

  • Question of VPN &amp; ACS

    Hello

    It's maybe a stupid question, but I need to learn more about security issues, so here's my question: If the remote end users can access their corporate network via secure VPN, then why do need ACS solution? Thank you to educate me.

    My examples are not too clear. You are right in that you can provide access to the server to your VPN users through AAA filters for the VPN concentrator.

    In the environment where I work, we also use ACS to authenticate wireless users AS5300 dial-up users and access to our routers and switches.

    Here is a link that I hope this explains a bit more clear:

    http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a5d.html

    HTH

    Steve

Maybe you are looking for