RA VPN VPN L2L via NAT strategy
Scenario: we have remote access VPN users who need to access a VPN L2L by ASA even outside the interface. This particular VPN L2L is a partner that requires us to NAT (192.168.x.x) addresses to another private address (172.20.x.x). We also access VPN L2L to internal hosts. NATing to the partner is accomplished through a NAT policy.
Our remote VPN users cannot access the L2L VPN. It seems that the host address VPN (assigned through RADIUS) is not in THAT NAT would not, even if it is in the range object.
"Group" is configured and works for the other VPN.
NO - NAT ACL does not seem to be involved (which it shouldn't), as the address of the internal host (192.168.60.x) is not NAT to be the public address.
Internal hosts that can access the VPN tunnel very well.
Here are the relevant config:
permit same-security-traffic intra-interface
the OURHosts object-group network
host 192.168.1.x network-object
host 192.168.2.x network-object
object-network 192.168.60.0 255.255.255.0 the PartnerHosts object-group network network-host 10.2.32.a object network-host 10.2.32.b object network-host 10.2.32.c object
access-list extended NAT2 allowed ip object-group OURHosts-group of objects PartnerHosts Global (OUTSIDE) 2 172.20.x.x NAT (INSIDE) 2-list of access NAT2 The syslog error we receive: % ASA-4-402117: IPSEC: received a package not IPSec (Protocol = ICMP) 10.2.32.a to 192.168.60.x Yes. According to the config that you posted, there is no command currently in no place in vpn nat clients the RA to the hairpin above the tunnel. The inside of our customers work due to "nat (INSIDE) 2 NAT2 access-list. But because your VPN RA customers coming from "OUTSIDE", this statement by nat would have no effect on them. Tags: Cisco Security I have a tunnel VPN L2L on a Cisco ASA 5520 I am trying to get IPPS, to work on. On my ACL cryptomap I defined a local group object and a remote object-group, and I'm the one-to-one NAT scene on the local group. I also have a configured route map that will take the static routes and redistribute in my ACE. EIGRP two things - 1, I noticed, I don't see on my ASA static routes that point to remote subnets and 2, the ACL that I used in my definition of route map is not getting any hits on it. Any thoughts on where I can go wrong? Thank you Darren You have configured the following: crypto set reverse-road map If you do, can you remove and Add again and see if that fixes the problem? Tunnel VPN L2L with NATTing will not allow traffic which will be initiated by spoke to the hub. Traffic from internal hosts will NAT address works ok, but what speaks tests it traffic never connects. get the 10.1.12.232 NAT host would be 172.27.63.133 and past through the VPN tunnel to 10.24.4.65 without problem. However when 10.24.4.65 tries to ping or connect to 172.27.63.133 traffic does not make inside host 10.1.12.232 ASA-1 #. the object of the 10.0.0.0 network Hello First of all, I would like to remove these two lines because they do nothing productive Summary: We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel. My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0. Here is the config: # #List of OUR guests the OURHosts object-group network network-host 192.168.x.y object
# Hosts PARTNER #List the PARTNERHosts object-group network network-host 10.2.a.b object
###ACL for NAT # Many - to - many outgoing access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts # One - to - many incoming VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group # #NAT NAT (INSIDE) 2-list of access NAT2 NAT (OUTSIDE) 2 172.20.n.0 NAT (INSIDE) 3 access-list VIH3 NAT (OUTSIDE) 3 172.20.n.1 # #ACL for VPN access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list # #Tunnel tunnel-group
card
card crypto
card
I realize that the ACL for the VPN should read: access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list .. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated. What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN? Thanks in advance. Patrick Here is the order of operations for NAT on the firewall: 1 nat 0-list of access (free from nat) 2. match the existing xlates 3. match the static controls a. static NAT with no access list b. static PAT with no access list 4. match orders nat a. nat [id] access-list (first match) b. nat [id] [address] [mask] (best match) i. If the ID is 0, create an xlate identity II. use global pool for dynamic NAT III. use global dynamic pool for PAT If you can try (1) a static NAT with an access list that will have priority on instruction of dynamic NAT (2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick. I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours. Jon Hi all I need to create a VPN L2L tunnel between us and another local company. We use a 3845 router and the other carrier uses a 3745 router. I created a lot of VPN tunnels in the past using NAT. In this case, I don't have to. is it possible for a tunnel VPN work with the same configuration without using NAT. My router and the device being connected to all have a public IP address on the same subnet. Thank you Stevan Hello Yes, you can create L2L without having to use NAT. See the examples of configuration (under VPN Site to Site with PIX/IOS): http://www.Cisco.com/en/us/partner/products/HW/vpndevc/ps2030/prod_configuration_examples_list.html Before that, you have probably more experience configuration tunnel as shown in the url below: Rgds, AK Cisco ASA Site to Site VPN IPSEC and NAT question Hi people, I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following: ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses Just an example: N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5) The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same) It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup) Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same. Grateful if someone can shed some light on this subject. Hello OK so went with the old format of NAT configuration It seems to me that you could do the following:
I could test this configuration to work tomorrow but I would like to know if it works. Please rate if this was helpful -Jouni L L VPN routing via alternative tunnel... mesh? Hi all We have a L - L IPSEC tunnel between our head office and a hosting company, everything works fine, solid as a rock. But we now have a requirement for one of our branches to also run a tunnel to the host, but for cost and control reasons, it was decided that the office will be forwarded via the head office... We also have an IPSEC tunnel running between the head and branch if all we need to the whole running is to get the branch to move towards the hosting via the headquarters company and have been performed. It would be like a mesh full, but with one of the deleted links (branch of accommodation), or a hybrid any? BTW both Headquarters and branch run Cisco ASA5550 and 5515 respectively and we have full control over these devices, the hosting company, I'm not sure but maybe an ASA... Links to documentation or advice would be greatly appreciated... Hello Well I don't know how you have configured NAT configuration for traffic between the branch and accommodation. It appears from the foregoing that you add is the real network of agencies for headquarters accommodation L2L VPN? If this is true, then need you a NAT configuration in the seat which is between "outside" and "outside". In other words a NAT0 configuration for the "outside" interface. (My suggesting original was to PAT dynamic for the branch if you want to avoid changes of configuration on the hosting Site) It would probably be something first of all, I would like to check. If it is fine, then I would check the VPN counters That both of the L2L VPN connections Show crypto ipsec peer his This should show you if the L2L VPN has negotiated for networks of branch and hosting on both connections from VPN L2L. It could also tell you if the packets are flowing in both directions. If the problem is outside your network then headquarters you would see probably décapsulés/decrypted only packets for VPN L2L headquarters - L2L BOVPN and only encapsulated/encrypted packets for the headquarters - hosting Site -Jouni ASA5510, 8.0.x I need to set up a VPN from Site to Site (L2L) in a remote location. The remote IT consultant asks me NOT to go out with my real (pulbic), IP address, but translated to a single IP address. From my side, I have a 24 network, on the remote site, I have to reach only 4 IP addresses. The VPN is one way only: I need to reach their servers, but not vice versa. I tried to follow the document ID-99122 (http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml), but it seems not to work with a static NAT to a translated 24 on a single IP address. I tried to ask them to allow me to NAT a 24, but they disagree. Any solution? Kind regards Claudio Hello If I understand, you want to translate your 24 network to IP address dynamic PAT unique when contacting the remote site only via VPN L2L. For this, you can try to use the PAT political dynamics access-list L2LVPN - POLICYNAT note define traffic for the political dynamics for VPN L2L PAT L2LVPN-POLICYNAT ip 10.10.10.0 access list allow 255.255.255.0 host 1.1.1.1 L2LVPN-POLICYNAT ip 10.10.10.0 access list allow 255.255.255.0 host 1.1.1.2 L2LVPN-POLICYNAT ip 10.10.10.0 access list allow 255.255.255.0 host 1.1.1.3 L2LVPN-POLICYNAT ip 10.10.10.0 access list allow 255.255.255.0 host 1.1.1.4 Global 200 (outside) NAT (inside) 200 access-list L2LVPN-POLICYNAT Also of course your L2L Crypto VPN ACL map should look like this access-list L2LVPN-CRYPTOMAP Note set encryption to connect VPN L2L domain access-list L2LVPN-CRYPTOMAP allowed ip 1.1.1.1 host access-list L2LVPN-CRYPTOMAP allowed IP host 1.1.1.2 access-list L2LVPN-CRYPTOMAP allowed IP host 1.1.1.3 access-list L2LVPN-CRYPTOMAP allowed IP host 1.1.1.4 crypto card matches the address L2LVPN-CRYPTOMAP Where Hope this helps EDIT: Copy/paste strikes again. I had both the ACL with the same name. Which corrected. -Jouni Add the existing network of VPN l2l I have properly configured VPN l2l between our main site and 2 offices. Now, I would like to allow additional networks on the main site to access the branch sites. Here the doc of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fad90.shtml) presents a method to do this by adding an additional interface. Is it possible to do without the addition of an interface? Here are the relevant config on the main site ASA (8,0) and one of the remote PIX (7.0): ========================= ASA (main site) access extensive list ip 172.16.0.0 outside_1_cryptomap allow 255.255.255.0 172.16.29.0 255.255.255.0 access extensive list ip 172.16.1.0 outside_1_cryptomap allow 255.255.255.0 172.16.29.0 255.255.255.0 card crypto outside_map 1 match address outside_1_cryptomap card crypto outside_map 1 set 24.97.x.x counterpart map outside_map 1 set of transformation-ESP-3DES-MD5 crypto ========================= PIX (remote site) access extensive list ip 172.16.29.0 outside_cryptomap_20_2 allow 255.255.255.0 172.16.0.0 255.255.255.0 access extensive list ip 172.16.29.0 outside_cryptomap_20_2 allow 255.255.255.0 172.16.1.0 255.255.255.0 card crypto outside_map 20 match address outside_cryptomap_20_2 card crypto outside_map 20 peers set 204.14.x.x outside_map card crypto 20 the transform-set ESP-3DES-MD5 value Just add valuable traffic to your access lists. New = 172.16.2.0/24 network ASA (main site) outside_1_cryptomap to access extended list ip 172.16.2.0 allow 255.255.255.0 172.16.29.0 255.255.255.0 PIX (remote site) access extensive list ip 172.16.29.0 outside_cryptomap_20_2 allow 255.255.255.0 172.16.2.0 255.255.255.0 Don't forget your nat exemption acl as well. For example... ASA (main site) extended access-list allow ip 172.16.2.0 255.255.255.0 172.16.29.0 255.255.255.0 PIX (remote site) permit extended access list ip 172.16.29.0 255.255.255.0 172.16.2.0 255.255.255.0 Go simple configuration of vpn L2L comply with security requirements Hello I have successfully install a L2L connection (5510, 7.2) and a 3rd party (SonicWall). Security requirements are such that (contractors) to our office users to connect to various devices to the 3rd party, BUT nothing to the 3rd party must connect to what be it at our office. I tried an outbound ACL (access-group L2L-RESTRICT the interface inside) inside the interface. But the funny thing is that I'm getting hits on the declarations of refusal on the ACL, although tests show no problems for you connect to multiple hosts to our site of the 3rd party. My ACL config looks like the following: <..snip..>
Note to L2L-RESTRICT access-list * ATTENTION * WITH CAUTION - RESTRICTIONS ON the 3rd PARTY VPN L2L L2L-RESTRICT access-list scope allow icmp 192.168.16.0 255.255.255.0 10.180.21.0 255.255.255.0 echo-reply deny access list L2L-RESTRICT the scope ip 192.168.16.0 255.255.255.0 no matter what newspaper Note to L2L-RESTRICT access-list > NOTE< last="" line="" *must*="" be="" permit="" any=""> L2L-RESTRICT access-list scope ip allow a whole ! L2L-RESTRICT the interface inside access-group <..snip..>
Their network is obviously 192.168.16.x and they won't be able to use a vlan from different source as "interesting traffic" ACL won't allow it. So that sounds good in theory I have it configured correctly? Is there a better way? Thanks in advance, Mike Mike, It seems that you might be able to assign a VPN ACL filter via a group assigned to each tunnel L2L policy. I have never done this personally before, but looks like it would work... ASA5510 VPN L2L cannot reach hosts on the other side Hello experts, I have an ASA5510 with 3 VPN L2L and remote VPN access. Two VPN L2L, Marielle and Aeromique no problem, but for VPN ASPCANADA, to a host behind the ASA 192.168.100.xx, I can't reach 57.5.64.250 or 251 and vice versa. But the tunnel is up. Can you help me please, thank you in advance. Add these two lines to the NAT 0 access list: inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.251 inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.250 Also make sure this reflection of these statements are also in the distance of the ASA NAT 0-list of access. Test and validate results HTH Sangaré Pls rate helpful messages VPN l2l failed inside on ASA 5520 (8.02) VPN l2l is dropping packets to Phase 5 because of a rule configured. I have an isakmp his but the client cannot connect to the destination here in my network. I'll post my config to access list at the bottom of the Packet-trace output. vpnASA01 # entry packet - trace within the icmp [10.0.0.243] 0 8 10.97.29.73 det Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional information: Direct flow from returns search rule: ID = 0xc92087c8, priority = 12, area = capture, deny = false hits = 85188209121, user_data = 0xc916a478, cs_id = 0 x 0, l3_type = 0 x 0 Mac SRC = 0000.0000.0000, mask is 0000.0000.0000 DST = 0000.0000.0000 Mac, mask is 0000.0000.0000 Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit rule Additional information: Direct flow from returns search rule: ID = 0xc87f1f98, priority = 1, domain = allowed, deny = false hits = 85193048387, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8 Mac SRC = 0000.0000.0000, mask is 0000.0000.0000 DST = 0000.0000.0000 Mac, mask is 0000.0000.0000 Phase: 3 Type: FLOW-SEARCH Subtype: Result: ALLOW Config: Additional information: Not found no corresponding stream, creating a new stream Phase: 4 Type:-ROUTE SEARCH Subtype: entry Result: ALLOW Config: Additional information: in 10.0.0.0 255.0.0.0 inside Phase: 5 Type: ACCESS-LIST Subtype: Result: DECLINE Config: Implicit rule Additional information: Direct flow from returns search rule: ID = 0xc87f3670, priority = 111, domain = allowed, deny = true hits = 67416, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 4000, protocol = 0 SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 = DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 = Result: input interface: inside entry status: to the top entry-line-status: to the top the output interface: inside the status of the output: to the top output-line-status: to the top Action: drop Drop-reason: flow (acl-drop) is denied by the configured rule = ACCESS-LIST + Config =. the object-group L2LVPN-blah_local network INBOUND_OUTSIDE list of allowed ip extended access object-L2LVPN-blah_remote L2LVPN-blah_local group object L2LVPN-blah_obj allowed extended ip access-list object-L2LVPN-blah_local group L2LVPN-blah_remote access-list SHEEP extended permits all ip [10.0.0.243] 255.255.255.240 Route outside [10.0.0.240] [10.97.29.1] 255.255.255.240 1 address for correspondence card crypto outside-VPN 46 L2LVPN - blah_obj IPSec-l2l type tunnel-group [10.0.0.243] [10.0.0.1] is to protect the global addresses of clients. Assume that these are still used in place of the current range of intellectual property. 10.0.0.240/28 =========================================== Thanks in advance. Michael Garcia Profit Systems, Inc.. Hi Michael, -Is the IP peer really part of the network that make up the field of encryption? -Is the ACL INBOUND_OUTSIDE applied (incoming) inside or outside interface (inbound)? It is the current form, it would need to be on the external interface. -You specify the peer IP only in the ACL SHEEP, so all other traffic is NAT would and eventually denied because it does not match the field of encryption Someone else may have a few ideas, but these are questions I have for the moment. James On the Question of VPN S2S source NAT Currently we have a number of implementation of VPN with various clients. We are NAT'ing range them at a 24 in our network to keep simple routing, but we seek to NAT Source our resources due to security problems. It is an example of a current virtual private network that we have configured: outside_map crypto card 5 corresponds to the address SAMPLE_cryptomap outside_map 5 peer set 99.99.99.99 crypto card card crypto outside_map 5 set ikev1 transform-set ESP-3DES-MD5 SHA-ESP-3DES card crypto outside_map 5 the value reverse-road SAMPLE_cryptomap list extended access permitted ip object-group APP_CLIENT_Hosts-group of objects CLIENT_Hosts NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination NAT (inside, outside) static source APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination the APP_CLIENT_Hosts object-group network network-object, object SITE1_APP_JCAPS_Dev_VIP network-object, object SITE1_APP_JCAPS_Prod_VIP network-object, object SITE2_APP_JCAPS_Dev_Host network-object, object SITE2_APP_JCAPS_Prod_VIP network-object, object SITE1_APP_PACS_Primary network of the SITE1_APP_JCAPS_Dev_VIP object Home 10.200.125.32 network of the SITE1_APP_JCAPS_Prod_VIP object Home 10.200.120.32 network of the SITE2_APP_JCAPS_Dev_Host object Home 10.30.15.30 network of the SITE2_APP_JCAPS_Prod_VIP object Home 10.30.10.32 network of the SITE1_APP_PACS_Primary object Home 10.200.10.75 network of the CLIENT_Host_1 object host of the object-Network 192.168.15.100 network of the CLIENT_Host_2 object host of the object-Network 192.168.15.130 network of the CLIENT_Host_3 object host of the object-Network 192.168.15.15 network of the CLIENT_Host_1_NAT object host of the object-Network 10.200.192.31 network of the CLIENT_Host_2_NAT object host of the object-Network 10.200.192.32 network of the CLIENT_Host_3_NAT object host of the object-Network 10.200.192.33 My question revolves around the Source NAT configuration. If I understand correctly, I have to configure 3 statements of NAT per NAT Source since there are three different destinations that are NAT' ed. I think I would need to add this: network of the SITE1_APP_JCAPS_Dev_VIP_NAT object Home 88.88.88.81 network of the SITE1_APP_JCAPS_Prod_VIP_NAT object Home 88.88.88.82 network of the SITE2_APP_JCAPS_Dev_Host_NAT object Home 88.88.88.83 network of the SITE2_APP_JCAPS_Prod_VIP_NAT object Home 88.88.88.84 network of the SITE1_APP_PACS_Primary_NAT object Home 88.88.88.85 NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination NAT (inside, outside) static source SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination NAT (inside, outside) static source SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination
NAT (inside, outside) static source SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination
NAT (inside, outside) static source SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination NAT (inside, outside) static source SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination Is that correct, or is at - it an easier way to do this without having to add all statements of NAT? Moreover, any change would be to do on the access list? Hello To my knowledge you should not create several new instructions from NAT. You should be well just create a new Group 'object' for new addresses your source address NAT. To better explain, take a look at your current ' object-group ' that defines your source addresses the APP_CLIENT_Hosts object-group network network-object, object SITE1_APP_JCAPS_Dev_VIP network-object, object SITE1_APP_JCAPS_Prod_VIP network-object, object SITE2_APP_JCAPS_Dev_Host network-object, object SITE2_APP_JCAPS_Prod_VIP network-object, object SITE1_APP_PACS_Primary Now you can do this sets up a "object-group" that contains a NAT IP address for each of the IP addresses inside the ' object-group ' and 'object' used above. The IMPORTANT thing is that the ' object-group ' that contains the NAT IP addresses is in the SAME ORDER as the actual source addresses. I mean, this is the first IP address is in most object - group ' will correspond to the first IP address in the newly created "object-group" for the IP NAT addresses. As above, you can simply have the same "nat" configurations 3 as before but you change/add in the newly created "object-group" For example, you might do the following network of the SITE1_APP_JCAPS_Dev_VIP_NAT object Home 88.88.88.81 network of the SITE1_APP_JCAPS_Prod_VIP_NAT object Home 88.88.88.82 network of the SITE2_APP_JCAPS_Dev_Host_NAT object Home 88.88.88.83 network of the SITE2_APP_JCAPS_Prod_VIP_NAT object Home 88.88.88.84 network of the SITE1_APP_PACS_Primary_NAT object Home 88.88.88.85 the APP_CLIENT_Hosts_NAT object-group network network-object, object SITE1_APP_JCAPS_Dev_VIP_NAT network-object, object SITE1_APP_JCAPS_Prod_VIP_NAT network-object, object SITE2_APP_JCAPS_Dev_Host_NAT network-object, object SITE2_APP_JCAPS_Prod_VIP_NAT network-object, object SITE1_APP_PACS_Primary_NAT Then you add the following configurations of "nat" NAT (inside, outside) 1 static source APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination Static NAT APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT static destination CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of source route 2 (inside, outside)
NAT 3 (indoor, outdoor) static source APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination Note line numbers, we added the above commands. This allows them to enter the upper part of the ASAs NAT rules, and therefore, they will become active immediately. Without line numbers that they will only be used after when you remove the old lines. Then you can remove the "old" no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_1_NAT CLIENT_Host_1 non-proxy-arp-search of route static destination no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_2_NAT CLIENT_Host_2 non-proxy-arp-search of route static destination no nat source (indoor, outdoor) public static APP_CLIENT_Hosts APP_CLIENT_Hosts CLIENT_Host_3_NAT CLIENT_Host_3 non-proxy-arp-search of route static destination
This should leave you with 3 configurations "nat" who made the NAT source addresses and destination. Naturally while you perform this change you will also have to change the ACL Crypto to match the new source NAT. This is because as all NAT is done before any VPN on the ASA. So the destination addresses are Nations United for before VPN and source addresses are translated before VPN. If you do not want to make the changes without affecting the connections too so I suggest Of course if you can afford a small cut when then changing the order in which you do things should not matter that much. In my work, that connections are usually not that critical that you can't make these changes almost at any point as it is a matter of minutes what it takes to make changes. Hope this made sense and helped Remember to mark a reply as the answer if it answered your question. Feel free to ask more if necessary. -Jouni If anyone can help with control of packet - trace to migrate to l2l ipsec vpn on ASA (one) ciscoasa # packet - trace entry outside tcp 10.10.1.2 12345 192.168.1.2 80 ASA (one) Ip address inside - 192.168.1.2 Destination port 80 ASA (b) Inside - 10.10.1.2 ip address Port source 12345 Hello So if your host 'inside' is 192.168.1.2 and the 'outside' host is 10.10.1.2 then you could just what follows Packet-trace entry inside tcp 192.168.1.2 12345 10.10.1.2 80 If the goal is just to test the VPN negotiation then the ports are not really important, but naturally tested traffic with "packet - tracer" must be authorized by your interface "inside" ACL. The essential is that the source address and destination match the VPN L2L (Crypto ACL) configurations Generally you would use NAT0 for these networks the and remote so NAT should not be a problem to test from that direction. I suppose there might be rare situations where using the command in this sense is not possible -Jouni Block incoming traffic not requested by VPN L2L on ASA5505 I have an L2L work between two locations. Location A and B. Location A: 172.16.16.0/24 B location: 192.168.0.0/24 I would like to block any incoming pitch A b location which is not initiated from A location. The block must be done on the ASA5505 location a. location B uses a router ISR G2. that is A location can start an SSH session to a server at the point B Location B cannot start an SSH session to a server in A location I tried to use a VPN on the ASA5505 filter but is not dynamic, I can not pass any traffic during its use. Config on my ASA: vpn-circulation 172.16.16.0 ip access list allow 255.255.255.0 192.168.0.0 255.255.255.0 access vpn-local block list extended deny ip 192.168.0.0 255.255.255.0 172.16.16.0 255.255.255.0 access vpn-local block list extended ip allowed any one crypto vpn 100 match address vpn-traffic map card crypto 100 counterpart set location-public-IP vpn card crypto vpn 100 transform-set esp-aes256-sha vpn outside crypto map interface Group internal vpn-local-political block policy bloc-vpn-a-locales-strategie-strategie of group attributes VPN-filter block vpn-local value Protocol-tunnel-VPN IPSec type of tunnel-group location-public-IP-ipsec-l2l attributes global-tunnel-group location-public-IP strategy-group-by default-vpn-to-local-blocking strategy tunnel-group location-public-IP-ipsec-attributes pre-shared key *. I also have an AnyConnect VPN for the ASA5505 configuration and it runs 8.2 (5). Any tips? Hello Unless you already have a lot of VPN connections to use theres also another option other than VPN filter ACL. You can globally change the "sysopt permit vpn connection" setting (the default is that this option is enabled) If you change this setting to "no sysopt permit vpn connection" every connection from remote site will require an ACL rule on the ACL interface that end the VPN. And it's usually the 'outer' interface I find its rules in a way easy and clear of the ACL rules for construction VPN connections also although the 'outside' ACL would now include VPN traffic and Internet. It still beats the use of VPN filter ACL if you ask me. The downside activating this later is the fact that if you have no restrections between VPN and LAN connections, you would now determine which must be open before you can change the global settings so that connections don't stop working. Here is the section of the overview of ASA 8.2 for the order parameter controls / I do not speak of http://www.Cisco.com/en/us/docs/security/ASA/asa82/command/reference/S8.html#wp1517364 If you want to go with VPN filter ACL then follow the earlier instructions of messages while strengthening the ACL rules. -Jouni IMessage works only with the last update in elcappitan Why not send iMessages on my iMac since the upgrade to the latest version of El Capitan? text of emails downloaded becomes corrupt, moved to other emails or just deleted A block of downloaded emails, a few days ago will come back three weeks, have altered the text, moved or simply deleted text. The corrupted text looks like its Web page code or source code. Sometimes the text of a message will be displayed, not corru Just installed 9.3 iPad cannot be activated because the activation server is temporarily unavailable. IF the problem persists contact the Apple Support... Any ideas? Hello I use the WEEKNUMBER formula in my spreadsheet to calculate the week number based on the date of Monday. This used to work properly (by 2015), but with the new year, it won't. I tried both with option 1 (Sunday) and option 2 (Monday) as the fir Hello For the last week, I can't get windows updates. I am running windows vista Home premium on a Dell Inspiron 531. I checked the permissions, disabled UAC, tried running as administrator updates, renamed the old C:\Windows\SoftwareDistribution fSimilar Questions
!
network object obj - 172.27.73.0
172.27.73.0 subnet 255.255.255.0
network object obj - 172.27.63.0
172.27.63.0 subnet 255.255.255.0
network object obj - 10.1.0.0
10.1.0.0 subnet 255.255.0.0
network object obj - 10.24.4.64
subnet 10.24.4.64 255.255.255.224
network object obj - 172.27.73.0 - 172.27.73.255
range 172.27.73.0 172.27.73.255
the object of the 10.0.0.0 network
subnet 10.0.0.0 255.0.0.0
network object obj - 24.173.237.212
Home 24.173.237.212
network object obj - 10.1.12.232
Home 10.1.12.232
network object obj - 172.27.63.133
Home 172.27.63.133
the DM_INLINE_NETWORK_9 object-group network
object-network 10.0.0.0 255.255.255.0
object-network 10.0.11.0 255.255.255.0
object-network 10.0.100.0 255.255.255.0
object-network 10.0.101.0 255.255.255.0
object-network 10.0.102.0 255.255.255.0
object-network 10.0.103.0 255.255.255.0
the DM_INLINE_NETWORK_16 object-group network
object-network 10.1.11.0 255.255.255.0
object-network 10.1.12.0 255.255.255.0
object-network 10.1.13.0 255.255.255.0
object-network 10.1.3.0 255.255.255.0
!
outside_1_cryptomap list extended access permitted ip object-group DM_INLINE_NETWORK_16-group of objects DM_INLINE_NETWORK_9
access extensive list ip 172.27.73.0 outside_8_cryptomap allow 255.255.255.0 10.24.4.64 255.255.255.224
access extensive list ip 172.27.63.0 outside_8_cryptomap allow 255.255.255.0 10.24.4.64 255.255.255.224
!
list of allowed outside access extended ip 10.24.4.64 255.255.255.224 172.27.63.0 255.255.255.0
list of allowed outside access extended ip 10.24.4.64 255.255.255.224 10.1.0.0 255.255.0.0
list of allowed outside access extended ip 172.27.63.0 255.255.255.0 10.1.0.0 255.255.0.0
!
NAT (inside, all) source static obj - 172.27.73.0 obj - 172.27.73.0 destination static obj - 10.24.4.64 obj - 10.24.4.64 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 172.27.63.0 obj - 172.27.63.0 destination static obj - 10.24.4.64 obj - 10.24.4.64 no-proxy-arp-search to itinerary
NAT (inside, outside) source dynamic obj - 10.66.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.70.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.96.228.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.96.229.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 192.168.5.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.75.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.11.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source static obj - 10.1.3.37 obj - 10.71.0.37 destination static obj - 50.84.209.140 obj - 50.84.209.140
NAT (inside, outside) source static obj - 10.1.3.38 obj - 10.71.0.38 destination static obj - 50.84.209.140 obj - 50.84.209.140
NAT (inside, outside) source static obj - 10.1.12.232 obj - 172.27.63.133 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.1.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
!
NAT (exterior, Interior) source static obj - 10.24.4.64 obj - 10.24.4.64 destination static obj - 172.27.63.133 obj - 10.1.12.232
NAT (outside, outside) source static obj - 10.24.4.64 obj - 10.24.4.64 destination static obj - 172.27.63.133 obj - 10.1.12.232
NAT (inside, outside) dynamic obj - 24.173.237.212
!
NAT (VendorDMZ, outside) the after-service automatic source dynamic obj - 192.168.13.0 obj - 24.173.237.212
outside access-group in external interface
Route outside 0.0.0.0 0.0.0.0 24.173.237.209 1
Route inside 10.1.0.0 255.255.0.0 10.1.10.1 1
Route inside 10.2.1.0 255.255.255.248 10.1.10.1 1
!
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-DH2-esp-3des esp-sha-hmac
Crypto ipsec pmtu aging infinite - the security association
!
card crypto GEMed 8 corresponds to the address outside_8_cryptomap
card crypto GEMed 8 set peer 64.245.57.4
card crypto GEMed 8 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-MD5
GEMed outside crypto map interface
!
: end
ASA-1 #.
nat (outside,inside) source static obj-10.24.4.64 obj-10.24.4.64 destination static obj-172.27.63.133 obj-10.1.12.232nat (outside,outside) source static obj-10.24.4.64 obj-10.24.4.64 destination static obj-172.27.63.133 obj-10.1.12.232
Then, I was running packet - trace to see what NAT rule actually hit you.
packet-tracer input inside 10.1.12.232 12345 10.24.4.65 12345
network-object 10.97.29.73 255.255.255.255
the object-group L2LVPN-blah_remote network
network-object [10.0.0.240] 255.255.255.240
peer set card crypto VPN-exterior 46 [10.0.0.243]
outside-VPN 46 transform-set esp-sha-aes-256 crypto card
outside-VPN interface card crypto outside
IPSec-attributes of tunnel-group [10.0.0.243]
pre-shared-key *.Maybe you are looking for