Remote host IP SLA ping by tunnel VPN with NAT

Hi all

I did some research here, but don't drop on similar issues. I'm sure that what I want is not possible, but I want to make sure.

I want to monitor a remote host on the other side a VPN. The local endpoint is my ASA.

The local INSIDE_LAN traffic is NATted to 10.19.124.1 before entering the VPN tunnel.

Interesting VPN traffic used ACL card crypto:

access-list 1 permit line ACL_TUNNELED_TO_REMOTE extended ip host 10.19.124.1 192.168.1.0 255.255.255.0

NAT rules:

Global (OUTSIDE) 2 10.19.124.1 mask 255.255.255.255 subnet

NAT (INSIDE_LAN) 2-list of access ACL_NAT_TO_REMOTE

NAT ACL

access-list 1 permit line ACL_NAT_TO_REMOTE extended ip 172.19.126.32 255.255.255.224 192.168.1.0 255.255.255.0

This configuration works very well for traffic from hosts in 172.19.126.32 255.255.255.224 is 192.168.1.0 255.255.255.0.

However, I like to use "ip sla" on the SAA itself to monitor a remote host with icmp ping 192.168.1.0. This would imply NATting one IP on the ASA to 10.19.124.1, but I do not see how to do this. None of the interfaces on the SAA are logical, to use as a source for this interface.

Thanks for ideas and comments.

Concerning

Advertisement

You are absolutely right, that unfortunately you won't able to NAT interface ASA IP address. NAT works for traffic passing by the ASA, don't not came from the SAA itself.

Tags: Cisco Security

Similar Questions

  • Tunnel VPN and NAT

    Hello. I'm creating a tunnel VPN IPSec LAN - to - LAN of my ASA5510 to another network but met an obstacle bit. My counterpart on the other side has informed me that he already has a VPN tunnel to another company that has the same IP range as my network(10.100.16.0 /24) and can not create the tunnel.

    I was wondering is it possible to use NAT on the VPN tunnel so that traffic that goes from my network over the VPN tunnel gets translated and my counterpart on the other side sees this reflects the range of IP addresses?

    Thanks in advance for any help.

    Hello

    Yes, you can use the same address you already use for internet access.

    Just update your list of access crypto to reflect the new address and to ensure that the third party did the same.

    Jon

  • VPN with NAT Interface

    Hello

    I am trying to set up a VPN between a VLAN I have defined and another office. I have been using nat on the interface for internet access with a NAT pool.

    I created the VPN with crypto card and the VPN is successfully registered.

    The problem I encounter is that with NAT is enabled, internet access is working but I can ping through the VPN.

    If I disable NAT, VPN works perfectly, but then him VLAN cannot access the internet.

    What should I do differently?

    Here is the config:

    Feature: 2911 with security package

    Local network: 10.10.104.0/24

    Remote network: 192.168.1.0/24

    Public beach: 65.49.46.68/28

    crypto ISAKMP policy 104

    BA 3des

    preshared authentication

    Group 2

    lifetime 28800

    ISAKMP crypto key REDACTED address 75.76.102.50

    Crypto ipsec transform-set esp-3des esp-sha-hmac strongsha

    OFFICE 104 ipsec-isakmp crypto map

    defined by peer 75.76.102.50

    Set transform-set strongsha

    match address 104

    interface GigabitEthernet0/0

    IP 65.49.46.68 255.255.255.240

    penetration of the IP stream

    NAT outside IP

    IP virtual-reassembly

    full duplex

    Speed 100

    standby mode 0 ip 65.49.46.70

    0 6 2 sleep timers

    standby 0 preempt

    card crypto OFFICE WAN redundancy

    interface GigabitEthernet0/2.104

    encapsulation dot1Q 104

    IP 10.10.104.254 255.255.255.0

    IP nat pool wan_access 65.49.46.70 65.49.46.70 prefix length 28

    overload of IP nat inside source list 99 pool wan_access

    access-list 99 permit 10.10.104.0 0.0.0.255

    access-list 104. allow ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

    access-list 104. allow ip 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255

    access-list 104 allow icmp 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

    access-list 104 allow icmp 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255

    ISAKMP crypto #sh her

    IPv4 Crypto ISAKMP Security Association

    DST CBC conn-State id

    65.49.46.70 75.76.102.50 QM_IDLE 1299 ACTIVE

    Hello!

    Please, make these changes:

    extended Internet-NAT IP access list

    deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

    IP 10.10.104.0 allow 0.0.0.255 any

    IP nat inside source list Internet-NAT pool access-wan overload

    * Please do not remove the old NAT instance until you add that above.

    Please hold me.

    Thank you!

    Sent by Cisco Support technique Android app

  • Publish a server with NAT anchored through a tunnel VPN with ASA

    Hi all

    Thanks in advance for helping me out - I know somebody did, and I have trouble finding how do.  I don't know that I'm missing something simple.

    I have a client who wants to view a DVR device through a VPN tunnel that is published through the public firewall to collocation.  Endpoint DVR is endpoint ip assigned dynamically which tunnelle the host on demand (I know that the tunnel could fall).

    So I think / thought I could hairpin hair/policy nat this, but I'm not the best at this.

    Let's see if I can get this

    IP public 1.1.1.1\

    > External interface of ASA

    2.2.2.2 / private ip

    My config as I know it is pertinant is as follows:

    permit same-security-traffic intra-interface

    list of allowed incoming access extended ip any host 168.215.x.x

    Access-group interface incoming outside

    public static 168.215.x.x (outside, outside) 10.10.x.xnetmask 255.255.255.255

    I am running version 8.2.5 of the image of the SAA.

    If you could take a look and let me know what Miss me you please.

    Thank you

    Hello

    The problem here is of course the fact that we can not configure NAT0 without causing all traffic from the remote Internet can flow through the VPN connection.

    So I wonder if another type of NAT configuration would actually work.

    I would call it static political identity NAT if such a name exists yet.

    Something like that

    Note of DVR-POLICY-NAT-list of Direct HTTP access to VPN traffic

    allow to Access-list DVR-POLICY-NAT tcp host 10.10.2.253 eq 80 a

    public static 10.10.2.53 (inside, outside) access list DVR-POLICY-NAT

    This should basically do what

    • When the DVR is sending any traffic source TCP TCP/80 (essentially the traffic back to the connection from the main site) to ANY destination address (The Internet) then the host must translate to himself.
    • If we consider that NAT is performed before the VPN rules are processed this should mean that since we have concerns address itself, it must match the VPN rule only in this particular case where the traffic is TCP/80, which could only be the result of her replying to a link any destination TCP/80)
    • Which leads me to believe it shouldn't cause any problems with the Central connection on remote site (NAT0 is processed before political static NAT) or the RECORDER to Internet
    • Unless the DVR must be accessible directly via the Internet connection of the remote site. (He would send his answers to these HTTP connections outside with the originating source IP address) Or maybe even completely before connecting the phase failure. I have not tested.

    Hope this helps

    Be sure to mark it as answered in the affirmative. And/or useful response rate.

    Ask more if necessary.

    EDIT: typos

    -Jouni

  • L2l VPN with nat

    Hi all

    I'm quite inexperienced in this subject and would appreciate advice on this

    I need to create a VPN tunnel between our site and a remote site.

    On our site, we are a network 192.168.0.X our external ip address is 12.53.150.100

    We need to connect to the site is 69.144.38.48

    We need to move from host to host meaning 192.168.0.97--> 69.144.38.50 and they want our ip to translate to 10.9.250.1

    Thanks in advance

    Jason

    Are you familiar with the establishment of a regular L2L tunnel? In addition to this, you just create a nat policy:

    access-list extended 100 permit ip host 192.168.0.97 69.144.38.50

    public static 10.9.250.1 (inside, outside) - access list 100

    When you define your ACL crypto, you specify 10.9.250.1 as the source instead of 192.168.0.97.

    Let me know if you need help most.

  • VPN with NAT

    I'm sure this question has been asked several times, but I want to assure you that I understand before proceeding.

    I set up a site to site VPN IPSec between two ASAs.

    I want to an internal host NAT which link to the counterpart of my VPN network. So I need to make sure that traffic from this host internal is NATted before entering the VPN tunnel as "interesting traffic.

    So let's say that distance 192.168.20.0/24 network connects via the IPSec VPN tunnel with their peers, 65.200.1.1 and 198.14.7.10, to host the 10.100.1.7 on my network.

    I want NAT host 10.100.1.7 to 192.168.100.5 to the remote network connects to the 192 address, not the 10

    How can I do this?

    (I use an ASA 5505)

    Hello Colin,

    That's right, it's one of the great things about the changes on the version 8.3 and prior. You can create a political rule of nat in a single line.

    Please let me know if you understand this or if there is something else I can do for you.

    Evaluate the useful ticket.

    Have a good night,

    Julio

  • Problem with tunnel IPSEC with NAT

    Hello

    I had an ipsec tunnel between a former Cisco router at a remote site. I'm the config 887 to an ASA migration. The remote site cannot establish the tunnel. This is the only site having problems. There are one number of other sites remote connection back without problem.

    The Setup is

    192.168.1.x (main site inside) - ASA - 86.x.x.x (outside) - Internet - 159.x.x.x (side remote outdoors) - Firewall - 10.10.10.x

    The remote site will not accept the 192.168.1.x range so I'm NATing 192.168.50.x which is what they want to see

    The config I have is

    network of the NAT_TO_Remote1 object
    192.168.50.0 subnet 255.255.255.0
    network of the Remote1 object
    subnet 10.10.10.0 255.255.252.0

    NAT NAT_TO_Remote1 (Interior, exterior) destination 192.168.1.0 source static static Remote1 Remote1

    IKEv1 crypto policy 30
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400

    Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 3DES-SHA1

    card crypto Outside_map 10 corresponds to the address Qualcom_VPN
    card crypto Outside_map 10 set peer 159.x.x.x
    card crypto Outside_map 10 set transform-set 3DES-SHA1 ikev1
    card crypto Outside_map 10 set pfs Group1
    Outside_map interface card crypto outside

    RemoteSite_VPN list extended access allowed host ip 192.168.50.20 10.10.10.0 255.255.252.0
    RemoteSite_VPN list extended access allowed host ip 192.168.50.30 10.10.10.0 255.255.252.0
    RemoteSite_VPN list extended access allowed host ip 192.168.50.40 10.10.10.0 255.255.252.0

    tunnel-group 159.x.x.x type ipsec-l2l
    tunnel-group 159.x.x.x General-attributes
    Group Policy - by default-RemoteSites
    159.x.x.x group of tunnel ipsec-attributes
    IKEv1 pre-shared-key *.

    I was wondering if I'm missing something obvious here.

    Hello

    You must check the IPSEC transform set and see if they have enabled PFS group or not?

    card crypto Outside_map 10 set pfs Group1

    Try using group2, or turn it off.

    Kind regards

    Aditya

    Please evaluate the useful messages and mark the correct answers.

  • LAN to LAN VPN with NAT - solved!

    Hello world

    I have problems with a VPN L2L is implemented and logged, however when traffic comes from the other side of the tunnel it is not the host to internal network using a static NAT. Inside host 172.18.30.225 is current NATted to yyy.30.49.14 which is an IP address on the DMZ (yyy.30.49.0 255.255.255.240) Interface.

    Here is the configuration

    object-group network NET Tunnel
    network-host xxx.220.129.134 object

    Access tunnel list - extended ACL permit ip host yyy.30.49.14 object-group NET Tunnel

    correspondence address card crypto MAP_Tunnel 20 Tunnel-ACL

    the Tunnel-iServer-NAT object network
    Home yyy.30.49.14
    network of the Tunnel and drop-in iServer object
    Home 172.18.30.225

    network of the Tunnel and drop-in iServer object
    NAT (internal, DMZ) static Tunnel-iServer-NAT

    I hope that it is enough for someone to help me.

    Thank you

    M

    Version 8.3.1 ASA

    Post edited by: network operations

    The internal host does live on the network DMZ or internal? If she lives on the internal network, you can not NAT to the DMZ to interface and make it out of the external Interface, assuming that the external interface is the interface of VPN endpoint. If you terminate the VPN on the DMZ interface and the internal host lives on the internal network, then that's fine.

  • IOS VPN with NAT need help with ACL?

    What I forget? I have tried other positions, studied bugs known with 12.2 (13) T1, etc. workaround solutions, but perhaps my other choice of configuration interfere with my VPN configuration.

    I can connect, authenticate locally, very well. Stats of Cisco VPN client 3.6.3 show I'm Encrypting traffic on the protected networks, but I can not all traffic through internal hosts once I've connected.

    I removed security tags and replaced all the public IP addresses to fake in hope that someone can point me to what is obvious!

    Thank you very much.

    ----------

    Current configuration: 5508 bytes

    !

    ! 22:24:38 PST configuration was last modified Thursday February 20, 2003 by kevin

    !

    version 12.2

    horodateurs service debug uptime

    Log service timestamps uptime

    encryption password service

    !

    AAA new-model

    !

    AAA authentication login userauthen local

    AAA authorization groupauthor LAN

    AAA - the id of the joint session

    IP subnet zero

    !

    IP domain name mondomaine.fr

    name of the IP-server 199.13.28.12

    name of the IP-server 199.13.29.12

    !

    IP inspect the audit trail

    IP inspect high 1100 max-incomplete

    IP inspect a high minute 1100

    inspect the tcp IP Ethernet_0_1 name

    inspect the IP udp Ethernet_0_1 name

    inspect the IP name Ethernet_0_1 cuseeme

    inspect the IP name Ethernet_0_1 ftp

    inspect the IP h323 Ethernet_0_1 name

    inspect the IP rcmd Ethernet_0_1 name

    inspect the IP name Ethernet_0_1 realaudio

    inspect the IP name smtp Ethernet_0_1

    inspect the name Ethernet_0_1 streamworks IP

    inspect the name Ethernet_0_1 vdolive IP

    inspect the IP name Ethernet_0_1 sqlnet

    inspect the name Ethernet_0_1 tftp IP

    inspect the IP name Ethernet_0_1 http java-list 99

    inspect the name Ethernet_0_1 rtsp IP

    inspect the IP name Ethernet_0_1 netshow

    inspect the tcp IP Ethernet_0_0 name

    inspect the IP name Ethernet_0_0 ftp

    inspect the IP udp Ethernet_0_0 name

    audit of IP notify Journal

    Max-events of po verification IP 100

    !

    crypto ISAKMP policy 3

    BA 3des

    preshared authentication

    Group 2

    ISAKMP crypto nat keepalive 20

    !

    ISAKMP crypto client configuration group vpngroup

    xxxxxxxxx key

    DNS 199.13.28.12 199.13.29.12

    domain mydomain.com

    pool vpnpool

    ACL 110

    !

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

    !

    Crypto-map dynamic dynmap 10

    Set transform-set RIGHT

    !

    !

    map clientmap client to authenticate crypto list userauthen

    card crypto clientmap isakmp authorization list groupauthor

    client configuration address map clientmap crypto answer

    10 ipsec-isakmp crypto map clientmap Dynamics dynmap

    !

    MTA receive maximum-recipients 0

    !

    !

    interface Ethernet0/0

    Description connected to the Internet

    IP 199.201.44.198 255.255.255.248

    IP access-group 101 in

    NAT outside IP

    inspect the IP Ethernet_0_0 in

    no ip route cache

    no ip mroute-cache

    Half duplex

    clientmap card crypto

    !

    interface Serial0/0

    no ip address

    Shutdown

    !

    interface Ethernet0/1

    Connected to the private description

    IP 192.168.1.254 255.255.255.0

    IP access-group 100 to

    IP nat inside

    inspect the IP Ethernet_0_1 in

    Half duplex

    !

    IP local pool vpnpool 192.168.2.201 192.168.2.210

    period of translation nat IP 119

    !!

    !! -removed the following line for VPN configuration

    !! IP nat inside source list 1 interface Ethernet0/0 overload

    !! -replaced by the next line...

    IP nat inside source map route sheep interface Ethernet0/0 overload

    IP nat inside source 192.168.1.1 static 199.201.44.197

    IP classless

    IP route 0.0.0.0 0.0.0.0 199.201.44.193 permanent

    IP http server

    7 class IP http access

    local IP http authentication

    !

    access-list 1 permit 192.168.1.0 0.0.0.255

    access-list 5 permit 192.5.41.40

    access-list 5 permit 192.5.41.41

    access-list 5 refuse any

    access-list 7 permit 192.168.1.0 0.0.0.255

    access-list 7 refuse any

    access-list 99 refuse any

    access-list 100 permit udp any eq rip all rip eq

    access-list 100 permit tcp 192.168.1.1 host any eq www

    access-list 100 permit ip 192.168.1.1 host everything

    access list 100 permit tcp host 192.168.1.2 any eq www

    access-list 100 permit ip 192.168.1.2 host everything

    access-list 100 deny ip 192.168.1.253 host everything

    access ip-list 100 permit a whole

    access-list 101 deny host ip 199.201.44.197 all

    access-list 101 permit tcp any host 199.201.44.197 eq 22

    access-list 101 permit tcp any host 199.201.44.197 eq www

    access-list 101 permit tcp any host 199.201.44.197 eq 115

    access-list 101 permit icmp any host 199.201.44.197

    access list 101 ip allow any host 199.201.44.198

    access-list 101 permit tcp any host 199.201.44.197 eq 8000

    access-list 101 permit tcp any host 199.201.44.197 eq 8080

    access-list 101 permit tcp any host 199.201.44.197 eq 9090

    access-list 101 permit udp any host 199.201.44.197 eq 7070

    access-list 101 permit udp any host 199.201.44.197 eq 554

    access-list 110 permit ip 192.168.1.0 0.0.0.255 any

    access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

    access-list 115 permit ip 192.168.1.0 0.0.0.255 any

    !

    sheep allowed 10 route map

    corresponds to the IP 115

    !

    Line con 0

    exec-timeout 0 0

    password 7 XXXXXXXXXXXXXXX

    line to 0

    line vty 0 4

    password 7 XXXXXXXXXXXXXXXX

    !

    NTP-period clock 17208655

    source NTP Ethernet0/0

    peer NTP access-Group 5

    NTP 7 use only group-access

    NTP master 3

    NTP 192.5.41.41 Server

    NTP 192.5.41.40 Server

    !

    end

    ----------

    Config looks OK, you should be able to get for each internal host EXCEPT 192.168.1.1 with this configuration. If you do a ' sho cry ipsec his 'you see Pkts Decaps increment, indicating that you see the traffic of the remote client? " Do you not see Pkts Encaps increment, indicating that you send a response réécrirait the client to the internal host.

    For what is 192.168.1.1, because you have this:

    > ip nat inside source 192.168.1.1 static 199.201.44.197

    It substitutes for this:

    > ip nat inside source map route sheep interface Ethernet0/0 overload

    for this host traffic only and therefore back for just this host is always NAT would have even if you don't want it to be. To work around to send traffic to this host through an interface of closure with no NAT enabled on it, that it is NAT would have stops and allows you to connect via VPN. You can see http://www.cisco.com/warp/public/707/static.html for a detailed explanation, but basically, we must add this:

    loopback interface 0

    IP 1.1.1.1 255.255.255.0

    interface ethernet0/1

    Static IP policy route map

    permissible static route map 10

    match address 120

    set ip next-hop 1.1.1.2

    access-list 120 allow host ip 192.168.1.1 192.168.2.0 0.0.0.255

  • L2l VPN with NAT static to hide the IP internal on Cisco 1841 ISR

    I configured a VPN L2L on a Cisco 1841 ISR.  I'm statically from some of my internal hosts to IPS that are included in encrypted traffic.  Please note that not all internal hosts are underway using a NAT.  I am doing this for hidden some of the actual IP addresses on the inside network.  I confirmed that the VPN works as well as natives of VPN traffic.  I configured VPN L2L traditionally on the Cisco ASA 5500 Series devices, and this is my first attempt with HIA of 1841.  I want just the other to take a glance to see if I missed something, or could I effectively part of the configuration.  All comments are welcome.

    VPN-RTR-01 #show run
    Building configuration...

    Current configuration: 9316 bytes
    !
    version 12.4
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    encryption password service
    !
    hostname VPN-RTR-01
    !
    boot-start-marker
    boot-end-marker
    !
    ! type map necessary for vwic/slot-slot 0/0 control
    logging buffered 51200 warnings
    no console logging
    enable secret 5 xxxxxxxxxxxxxxx
    enable password 7 xxxxxxxxxxxxxxx
    !
    No aaa new-model
    IP cef
    !
    !
    !
    !
    no ip domain search
    property intellectual auth-proxy max-nodata-& 3
    property intellectual admission max-nodata-& 3
    !
    !
    Crypto pki trustpoint TP-self-signed-2010810276
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 2010810276
    revocation checking no
    rsakeypair TP-self-signed-2010810276
    !
    !
    TP-self-signed-2010810276 crypto pki certificate chain
    certificate self-signed 01
    30820246 308201AF A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
    2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
    69666963 32303130 38313032 6174652D 3736301E 31393334 OF 30333131 170 3131
    30365A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
    4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 30313038 65642D
    31303237 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
    8100C3FF F5EADA3B BCB06873 5577DB24 2AD8ECBB 00D53F1A 37342E2E 5CC9202A
    7F128E51 016CD6EC D8734F4D 28BE8B0A FCD6B714 8D13585B 7844C09C 79BA8F13
    B75E4E98 25D91F02 A4773F66 83407A8B 85447 64 A6889DD9 6085857F 737F8A9F
    749F4297 8804C4F3 D28A6C33 F4137BBE 67F9B945 F239789E 1303AD6D DB98B7E2
    52B 50203 010001 HAS 3 1 130101 FF040530 030101FF 30190603 0F060355 6E306C30
    551 1104 12301082 0E535458 2D56504E 2 525452 2 303130 1 230418 1F060355 D
    3B 232987 30168014 2CBB9DD0 B34B7243 7F8095C8 7AFBEFE3 301D 0603 551D0E04
    1604143B 2329872C BB9DD0B3 4B72437F 8095C87A FBEFE330 0D06092A 864886F7
    010104 05000381 8100A 831 8E05114A DE8AF6C5 4CB45914 36B6427C 42B30F07 0D
    C5C47BC9 0110BCAA A985CB3F 5CBB855B B12D3225 B8021234 86D1952C 655071E4
    66C18F42 F84492A9 835DE884 341B3A95 A3CED4E8 F37E7609 88F52640 741D74D2
    37842 D 39 E5F2B208 0D4D57E1 C5633DEB ACDFC897 7D50683D 05B5FDAA E42714B4
    DD29E815 E9F90877 4 D 68
    quit smoking
    username privilege 15 password 7 xxxxxxxxxxxxxxx lhocin
    username privilege 15 password 7 xxxxxxxxxxxxxxx jsmith
    !
    !
    !
    !
    crypto ISAKMP policy 5
    BA aes 256
    preshared authentication
    Group 2
    lifetime 28800
    xxxxxxxxxxxxxxx key address 172.21.0.1 crypto ISAKMP xauth No.
    !
    !
    Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
    !
    card crypto SITES REMOTE VPN-ipsec-isakmp 1
    defined by peer 172.21.0.1
    game of transformation-ESP-AES256-SHA
    match address VPN-REMOTE-SITE
    !
    !
    !
    interface FastEthernet0/0
    no ip address
    automatic speed
    full-duplex
    No mop enabled
    !
    interface FastEthernet0/0.1
    encapsulation dot1Q 1 native
    !
    interface FastEthernet0/0.2
    Description $FW_INSIDE$
    encapsulation dot1Q 61
    IP 10.1.0.34 255.255.255.224
    IP access-group 100 to
    IP nat inside
    IP virtual-reassembly
    !
    interface FastEthernet0/0.3
    Description $FW_OUTSIDE$
    encapsulation dot1Q 111
    IP 172.20.32.17 255.255.255.224
    IP access-group 101 in
    Check IP unicast reverse path
    NAT outside IP
    IP virtual-reassembly
    crypto VPN-REMOTE-SITE map
    !
    interface FastEthernet0/1
    no ip address
    Shutdown
    automatic duplex
    automatic speed
    !
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 172.20.32.1
    IP route 10.16.0.0 255.255.0.0 10.1.0.33
    IP route 10.19.0.0 255.255.0.0 10.1.0.33
    IP route 10.191.0.0 255.255.0.0 10.1.0.33
    IP route 10.192.0.0 255.255.0.0 10.1.0.33
    IP route 192.168.20.48 255.255.255.240 10.1.0.33
    !
    !
    IP http server
    local IP http authentication
    IP http secure server
    IP http timeout policy inactive 600 life 86400 request 10000
    IP nat inside source map route NO_NAT interface FastEthernet0/0.3 overload
    IP nat inside source static 10.191.0.11 192.168.20.54 STATIC_NAT_7 card expandable route
    IP nat inside source static 10.191.0.12 192.168.20.55 STATIC_NAT_8 card expandable route
    IP nat inside source static 10.192.1.1 192.168.20.56 STATIC_NAT_1 card expandable route
    IP nat inside source static 10.192.1.2 192.168.20.57 STATIC_NAT_2 card expandable route
    IP nat inside source static 10.192.1.3 192.168.20.58 STATIC_NAT_3 card expandable route
    IP nat inside source static 10.192.1.4 192.168.20.59 STATIC_NAT_4 card expandable route
    IP nat inside source static 10.192.1.5 192.168.20.61 STATIC_NAT_5 card expandable route
    IP nat inside source static 10.16.1.6 192.168.20.62 STATIC_NAT_6 card expandable route
    !
    VPN-REMOTE-SITE extended IP access list
    IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.39
    IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.40
    inside_nat_static_1 extended IP access list
    permit ip host 10.192.1.1 10.174.52.39
    permit ip host 10.192.1.1 10.174.52.40
    refuse an entire ip
    inside_nat_static_2 extended IP access list
    permit ip host 10.192.1.2 10.174.52.39
    permit ip host 10.192.1.2 10.174.52.40
    refuse an entire ip
    inside_nat_static_3 extended IP access list
    permit ip host 10.192.1.3 10.174.52.39
    permit ip host 10.192.1.3 10.174.52.40
    refuse an entire ip
    inside_nat_static_4 extended IP access list
    permit ip host 10.192.1.4 10.174.52.39
    permit ip host 10.192.1.4 10.174.52.40
    refuse an entire ip
    inside_nat_static_5 extended IP access list
    permit ip host 10.192.1.5 10.174.52.39
    permit ip host 10.192.1.5 10.174.52.40
    refuse an entire ip
    inside_nat_static_6 extended IP access list
    permit ip host 10.16.1.6 10.174.52.39
    permit ip host 10.16.1.6 10.174.52.40
    refuse an entire ip
    inside_nat_static_7 extended IP access list
    permit ip host 10.191.0.11 10.174.52.39
    permit ip host 10.191.0.11 10.174.52.40
    refuse an entire ip
    inside_nat_static_8 extended IP access list
    permit ip host 10.191.0.12 10.174.52.39
    permit ip host 10.191.0.12 10.174.52.40
    refuse an entire ip
    !
    access-list 100 remark self-generated by the configuration of the firewall SDM
    Access-list 100 = 1 SDM_ACL category note
    access-list 100 deny ip 172.20.32.0 0.0.0.31 all
    access-list 100 deny ip 255.255.255.255 host everything
    access-list 100 deny ip 127.0.0.0 0.255.255.255 everything
    access ip-list 100 permit a whole
    Remark SDM_ACL category of access list 101 = 17
    access-list 101 permit udp any host 192.168.20.62
    access-list 101 permit tcp any host 192.168.20.62
    access-list 101 permit udp any host 192.168.20.61
    access-list 101 permit tcp any host 192.168.20.61
    access-list 101 permit udp any host 192.168.20.59
    access-list 101 permit tcp any host 192.168.20.59
    access-list 101 permit udp any host 192.168.20.58
    access-list 101 permit tcp any host 192.168.20.58
    access-list 101 permit udp any host 192.168.20.57
    access-list 101 permit tcp any host 192.168.20.57
    access-list 101 permit udp any host 192.168.20.56
    access-list 101 permit tcp any host 192.168.20.56
    access-list 101 permit udp any host 192.168.20.55
    access-list 101 permit tcp any host 192.168.20.55
    access-list 101 permit udp any host 192.168.20.54
    access-list 101 permit tcp any host 192.168.20.54
    access-list 101 permit ip 10.174.52.40 host 192.168.20.48 0.0.0.15
    access-list 101 permit ip 10.174.52.39 host 192.168.20.48 0.0.0.15
    access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq non500-isakmp
    access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq isakmp
    access-list 101 permit esp 172.21.0.1 host 172.20.32.17
    access-list 101 permit ahp host 172.21.0.1 172.20.32.17
    access-list 101 permit icmp any host 172.20.32.17 - response
    access-list 101 permit icmp any host 172.20.32.17 time limit
    access-list 101 permit icmp any unreachable host 172.20.32.17
    access-list 101 permit udp any host isakmp 172.20.32.17 newspaper eq
    access-list 101 permit udp any host 172.20.32.17 eq non500-isakmp
    access-list 101 permit tcp any host 172.20.32.17 eq 443
    access-list 101 permit tcp any host 172.20.32.17 eq 22
    access-list 101 permit tcp any host 172.20.32.17 eq cmd
    access-list 101 deny ip 10.1.0.32 0.0.0.31 all
    access-list 101 deny ip 10.0.0.0 0.255.255.255 everything
    access-list 101 deny ip 172.16.0.0 0.15.255.255 all
    access-list 101 deny ip 192.168.0.0 0.0.255.255 everything
    access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
    access-list 101 deny ip 255.255.255.255 host everything
    access-list 101 deny host ip 0.0.0.0 everything
    access-list 101 deny ip any any newspaper
    access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.40
    access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.39
    access-list 102 permit ip 10.1.0.32 0.0.0.31 all
    !
    allowed NO_NAT 1 route map
    corresponds to the IP 102
    !
    STATIC_NAT_8 allowed 10 route map
    inside_nat_static_8 match ip address
    !
    STATIC_NAT_5 allowed 10 route map
    inside_nat_static_5 match ip address
    !
    STATIC_NAT_4 allowed 10 route map
    inside_nat_static_4 match ip address
    !
    STATIC_NAT_7 allowed 10 route map
    inside_nat_static_7 match ip address
    !
    STATIC_NAT_6 allowed 10 route map
    inside_nat_static_6 match ip address
    !
    STATIC_NAT_1 allowed 10 route map
    inside_nat_static_1 match ip address
    !
    STATIC_NAT_3 allowed 10 route map
    inside_nat_static_3 match ip address
    !
    STATIC_NAT_2 allowed 10 route map
    inside_nat_static_2 match ip address
    !
    !
    !
    control plan
    !
    !
    !
    Line con 0
    exec-timeout 30 0
    line to 0
    line vty 0 4
    privilege level 15
    local connection
    transport input telnet ssh
    line vty 5 15
    privilege level 15
    local connection
    transport input telnet ssh
    !
    Scheduler allocate 20000 1000
    end

    VPN-RTR-01 #.

    Hello

    Configuration looks ok to me.

    yet you can cross-reference with the following link:

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080223a59.shtml

    I hope this helps.

    Kind regards

    Anisha

    P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

  • concentrator 3000 2 lan lan VPN with NAT

    I need to configure a vpn lan-2lan between 2 3030 concentrators (separate companies) on the Internet. My company assigns a small subnet for hosts sitting on the client network. The customer wants to use their own IP subnet and assign IP addresses within their range. So, they do static NAT on their hub. Is this possible? Or have they NAT s pc before arriving to the hub? Any help much appreciated.

    Hello

    Concentrator VPN supports the NAT.

    http://Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml

    HTH

    Kind regards

    GE.

  • IOS IPSEC VPN with NAT - translation problem

    I'm having a problem with IOS IPSEC VPN configuration.

    /*

    crypto ISAKMP policy 10

    BA 3des

    preshared authentication

    Group 2

    ISAKMP crypto keys TEST123 address 205.xx.1.4

    !

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN

    !

    !

    Map 10 CRYPTO map ipsec-isakmp crypto

    the value of 205.xx.1.4 peer

    transformation-CHAIN game

    match address 115

    !

    interface FastEthernet0/0

    Description FOR the EDGE ROUTER

    IP address 208.xx.xx.33 255.255.255.252

    NAT outside IP

    card crypto CRYPTO-map

    !

    interface FastEthernet0/1

    INTERNAL NETWORK description

    IP 10.15.2.4 255.255.255.0

    IP nat inside

    access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3

    */

    (This configuration is incomplete / NAT configuration needed)

    Here is the solution that I'm looking for:

    When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.

    For more information, see "SCHEMA ATTACHED".

    Any help is greatly appreciated!

    Thank you

    Clint Simmons

    Network engineer

    You can try the following NAT + route map approach (method 2 in this link)

    http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

    Thank you

    Raja K

  • L2l - VPN with NAT incoming

    Cisco ASA (site A) with 2 L2L-VLNs (call the Site B and Site C)

    I need "inbound nat' Site-C network.

    Let me explain better:

    -Site-B (10.14.63.0/24) accepts only traffic between the local network of the site-A (10.1.6.0/24), and I can't change the VPN.

    -Now, I've logged on the Site-A site-C, and this must also communicate with site-B

    -So I thought I have nat, the network of Site-C (10.168.3.0/24) in order to present with an IP of A Site.

    Possible?

    And how to configure the ASA at the Site-A?

    Thank you

    Claudio

    Hello

    What is the level of software on the Site to ASA?

    -Jouni

  • How to start the tunnels without the need of ping to a remote host

    That's the big question!

    How can you tunnels without need to ping to a remote host in the target network? Our clients get hung on a regular basis because of this problem. 10 points for the first answer!

    Hello

    You can configure KeepAlive on end VPN.

    For example

    On PIX

    ISAKMP keepalive 2 30

    On IOS

    ISAKMP crypto keepalive 10 periodicals

    If it does not solve that and you need some kind of traffic you can configure NTP on the link VPN (source of the private interface it is so interesting traffic for VPN).

    HTH

    Sangaré

  • HTTPS protocol between the client vpn and host of the internet through tunnel ipsec-parody

    Hello

    We have a cisco ASA 5505 and try to get the next job:

    ip (192.168.75.5) - connected to the Cisco ASA 5505 VPN client

    the customer gets a specific route for an internet address (79.143.218.35 255.255.255.255 192.168.75.1 192.168.75.5 100)

    When I try to access the url of the client, I get a syn sent with netstat

    When I try trace ASA package, I see the following:

    1

    FLOW-SEARCH

    ALLOW

    Not found no corresponding stream, creating a new stream

    2

    ROUTE SEARCH

    entry

    ALLOW

    in 0.0.0.0 0.0.0.0 outdoors

    3

    ACCESS-LIST

    Journal

    ALLOW

    Access-group outside_access_in in interface outside

    outside_access_in list extended access permitted tcp everything any https eq

    access-list outside_access_in note hyperion outside inside

    4

    IP-OPTIONS

    ALLOW

    5

    CP-PUNT

    ALLOW

    6

    VPN

    IPSec-tunnel-flow

    ALLOW

    7

    IP-OPTIONS

    ALLOW

    8

    VPN

    encrypt

    ALLOW

    outdoors

    upward

    upward

    outdoors

    upward

    upward

    drop

    (ipsec-parody) Parody of detected IPSEC

    When I try the reverse (i.e. from the internet host to vpn client), it seems to work:

    1

    FLOW-SEARCH

    ALLOW

    Not found no corresponding stream, creating a new stream

    2

    ROUTE SEARCH

    entry

    ALLOW

    in 192.168.75.5 255.255.255.255 outside

    3

    ACCESS-LIST

    Journal

    ALLOW

    Access-group outside_access_in in interface outside

    outside_access_in of access allowed any ip an extended list

    4

    IP-OPTIONS

    ALLOW

    5

    VPN

    IPSec-tunnel-flow

    ALLOW

    6

    VPN

    encrypt

    ALLOW

    My question is why this phenomenon happens and how solve us this problem?

    Thanks in advance, Sipke

    our running-config:

    : Saved

    :

    ASA Version 8.0 (4)

    !

    ciscoasa hostname

    domain somedomain

    activate the password - encrypted

    passwd - encrypted

    names of

    name 10.10.1.0 Hyperion

    name 164.140.159.x xxxx

    name 192.168.72.25 xxxx

    name 192.168.72.24 xxxx

    name 192.168.72.196 xxxx

    name 192.168.75.0 vpn clients

    name 213.206.236.0 xxxx

    name 143.47.160.0 xxxx

    name 141.143.32.0 xxxx

    name 141.143.0.0 xxxx

    name 192.168.72.27 xxxx

    name 10.1.11.0 xxxx

    name 10.1.2.240 xxxx

    name 10.1.1.0 xxxx

    name 10.75.2.1 xxxx

    name 10.75.2.23 xxxx

    name 192.168.72.150 xxxx

    name 192.168.33.0 xxxx

    name 192.168.72.26 xxxx

    name 192.168.72.5 xxxx

    name 192.168.23.0 xxxx

    name 192.168.34.0 xxxx

    name 79.143.218.35 inethost

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.72.254 255.255.255.0

    OSPF cost 10

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP address 193.173.x.x 255.255.255.240

    OSPF cost 10

    !

    interface Vlan3

    Shutdown

    nameif dmz

    security-level 50

    192.168.50.1 IP address 255.255.255.0

    OSPF cost 10

    !

    interface Vlan23

    nameif wireless

    security-level 80

    192.168.40.1 IP address 255.255.255.0

    OSPF cost 10

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    switchport access vlan 3

    !

    interface Ethernet0/6

    switchport access vlan 23

    !

    interface Ethernet0/7

    !

    passive FTP mode

    clock timezone THATS 1

    clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

    DNS lookup field inside

    DNS server-group DefaultDNS

    domain pearle.local

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    object-group Protocol TCPUDP

    object-protocol udp

    object-tcp protocol

    object-group service RDP - tcp

    Remote Desktop Protocol Description

    EQ port 3389 object

    object-group service UDP - udp VC

    range of object-port 60000 60039

    object-group VC - TCP tcp service

    60000 60009 object-port Beach

    object-group service tcp Fortis

    1501 1501 object-port Beach

    Beach of port-object 1502-1502

    Beach of port-object sqlnet sqlnet

    1584 1584 object-port Beach

    1592 1592 object-port Beach

    object-group service tcp fortis

    1592 1592 object-port Beach

    Beach of port-object 1502-1502

    1584 1584 object-port Beach

    Beach of port-object sqlnet sqlnet

    1501 1501 object-port Beach

    1500 1500 object-port Beach

    the DM_INLINE_NETWORK_1 object-group network

    object-network 192.168.50.0 255.255.255.0

    object-network 192.168.72.0 255.255.255.0

    object-network 192.168.40.0 255.255.255.0

    object-network VPN_Pool_2 255.255.255.0

    the DM_INLINE_NETWORK_2 object-group network

    object-network 192.168.50.0 255.255.255.0

    object-network 192.168.72.0 255.255.255.0

    object-group network inside-networks

    object-network 192.168.72.0 255.255.255.0

    WingFTP_TCP tcp service object-group

    Secure FTP description

    port-object eq 989

    port-object eq 990

    DM_INLINE_TCP_1 tcp service object-group

    port-object eq ftp

    port-object eq ftp - data

    Group object WingFTP_TCP

    DM_INLINE_TCP_2 tcp service object-group

    port-object eq ftp

    port-object eq ftp - data

    Group object WingFTP_TCP

    the DM_INLINE_NETWORK_3 object-group network

    object-network 192.168.72.0 255.255.255.0

    object-network VPN_Pool_2 255.255.255.0

    the DM_INLINE_NETWORK_4 object-group network

    object-network 192.168.72.0 255.255.255.0

    object-network VPN_Pool_2 255.255.255.0

    object-group network Oracle

    network-object OracleTwo 255.255.224.0

    network-object OracleOne 255.255.240.0

    network-object OracleThree 255.255.224.0

    the DM_INLINE_NETWORK_5 object-group network

    network-object Grandvision 255.255.255.0

    network-object Grandvision2 255.255.255.240

    object-network Grandvision3 255.255.255.0

    host of the object-Network Grandvision4

    host of the object-Network GrandVision_PC

    the DM_INLINE_NETWORK_6 object-group network

    network-object Grandvision 255.255.255.0

    network-object Grandvision2 255.255.255.240

    object-network Grandvision3 255.255.255.0

    host of the object-Network Grandvision4

    host of the object-Network GrandVision_PC

    the DM_INLINE_NETWORK_7 object-group network

    network-object Grandvision 255.255.255.0

    network-object Grandvision2 255.255.255.240

    object-network Grandvision3 255.255.255.0

    host of the object-Network GrandVision_PC

    the DM_INLINE_NETWORK_8 object-group network

    network-object Grandvision 255.255.255.0

    network-object Grandvision2 255.255.255.240

    object-network Grandvision3 255.255.255.0

    host of the object-Network GrandVision_PC

    object-group service DM_INLINE_SERVICE_2

    the purpose of the ip service

    EQ-3389 tcp service object

    the DM_INLINE_NETWORK_9 object-group network

    network-object OracleThree 255.255.0.0

    network-object OracleTwo 255.255.224.0

    network-object OracleOne 255.255.240.0

    object-group service DM_INLINE_SERVICE_3

    the purpose of the ip service

    EQ-3389 tcp service object

    Atera tcp service object-group

    Atera Webbased monitoring description

    8001 8001 object-port Beach

    8002 8002 object-port Beach

    8003 8003 object-port Beach

    WingFTP_UDP udp service object-group

    port-object eq 989

    port-object eq 990

    WingFTP tcp service object-group

    Description range of ports for the transmission of data

    object-port range 1024-1054

    HTTPS_redirected tcp service object-group

    Description redirect WingFTP Server

    port-object eq 40200

    Note to inside_access_in to access list ICMP test protocol inside outside

    inside_access_in list extended access allow icmp 192.168.72.0 255.255.255.0 any

    Note to inside_access_in to access list ICMP test protocol inside outside

    access-list inside_access_in note HTTP inside outside

    inside_access_in list extended access allowed object-group TCPUDP 192.168.72.0 255.255.255.0 any eq www

    access-list inside_access_in note queries DNS inside to outside

    inside_access_in list extended access allowed object-group TCPUDP 192.168.72.0 255.255.255.0 no matter what eq field

    access-list inside_access_in note the HTTPS protocol inside and outside

    inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any https eq

    Note to inside_access_in to access list ICMP test protocol inside outside

    access-list inside_access_in note 7472 Epo-items inside outside

    inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any eq 7472

    access-list inside_access_in note POP3 inside outside

    inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any eq pop3

    inside_access_in list extended access permit udp host LifeSize-PE-HQ any object-group UDP - VC

    inside_access_in list extended access permit tcp host LifeSize-PE-HQ all eq h323

    access-list inside_access_in note video conference services

    inside_access_in list extended access permit tcp host LifeSize-PE-HQ any object-group VC - TCP

    inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any

    Note to inside_access_in to access list Fortis

    inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any object-group Fortis

    access extensive list ip 192.168.40.0 inside_access_in allow 255.255.255.0 any

    inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any

    inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any eq www

    inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any https eq

    inside_access_in allowed all Hyperion 255.255.255.0 ip extended access list

    inside_access_in list extended access udp allowed any any eq isakmp

    inside_access_in list extended access udp allowed any any eq ntp

    inside_access_in list extended access udp allowed any any eq 4500

    inside_access_in list of allowed ip extended access any Oracle object-group

    inside_access_in list extended access udp allowed any any eq 10000

    access-list inside_access_in note PPTP inside outside

    inside_access_in list extended access permit tcp any any eq pptp

    access-list inside_access_in note WILL inside outside

    inside_access_in list extended access will permit a full

    Note to inside_access_in to access the Infrastructure of the RIM BES server list

    inside_access_in list extended access permit tcp host BESServer any eq 3101

    inside_access_in list extended access permit tcp any any DM_INLINE_TCP_2 object-group

    inside_access_in list extended access permit tcp any any HTTPS_redirected object-group

    access extensive list ip Hyperion 255.255.255.0 inside_access_in 255.255.255.0 allow VPN_Pool_2

    inside_access_in list extended access permit udp any host 86.109.255.177 eq 1194

    access extensive list ip 192.168.72.0 inside_access_in allow 255.255.255.0 DM_INLINE_NETWORK_7 object-group

    access extensive list ip VPN_Pool_2 inside_access_in allow 255.255.255.0 any

    inside_access_in list extended access deny ip any any inactive debug log

    Note to outside_access_in to access list ICMP test protocol outside inside

    outside_access_in list extended access permit icmp any one

    access-list outside_access_in Note SMTP outside inside

    outside_access_in list extended access permit tcp any any eq smtp

    outside_access_in list extended access udp allowed any any eq ntp disable journal

    access-list outside_access_in note 7472 EPO-items outside inside

    outside_access_in list extended access permit tcp any any eq 7472

    outside_access_in list extended access permit tcp any any object-group inactive RDP

    outside_access_in list extended access permit tcp any any eq www

    outside_access_in list extended access permit tcp any any HTTPS_redirected object-group

    outside_access_in list extended access permitted tcp everything any https eq

    access-list outside_access_in note hyperion outside inside

    outside_access_in list extended access permitted tcp Hyperion 255.255.255.0 DM_INLINE_NETWORK_4 object-group

    outside_access_in to access Hyperion 255.255.255.0 ip extended list object-group DM_INLINE_NETWORK_3 allow

    outside_access_in list extended access permit tcp any host LifeSize-PE-HQ eq h323

    outside_access_in list extended access permit tcp any host LifeSize-PE-HQ object-group VC - TCP

    outside_access_in list extended access permit udp any host group-object-LifeSize-PE-HQ UDP - VC

    outside_access_in of access allowed any ip an extended list

    outside_access_in list extended access udp allowed any any eq 4500

    outside_access_in list extended access udp allowed any any eq isakmp

    outside_access_in list extended access udp allowed any any eq 10000

    outside_access_in list extended access will permit a full

    outside_access_in list extended access permit tcp any any eq pptp

    outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group

    outside_access_in list extended access allowed object-group ip DM_INLINE_NETWORK_8 192.168.72.0 255.255.255.0 inactive

    outside_access_in list extended access permit tcp any any Atera object-group

    outside_access_in list extended access deny ip any any inactive debug log

    outside_1_cryptomap list extended access allowed object-group Hyperion DM_INLINE_NETWORK_2 255.255.255.0 ip

    outside_1_cryptomap to access extended list ip 192.168.50.0 allow Hyperion 255.255.255.0 255.255.255.0

    access extensive list ip 192.168.72.0 inside_nat0_outbound allow Hyperion 255.255.255.0 255.255.255.0

    inside_nat0_outbound list of allowed ip extended access all 193.172.182.64 255.255.255.240

    inside_nat0_outbound list of allowed ip extended access all 192.168.72.192 255.255.255.192

    inside_nat0_outbound list of allowed ip extended access all 192.168.72.0 255.255.255.0

    access extensive list ip 192.168.72.0 inside_nat0_outbound allow 255.255.255.0 VPN_Pool_2 255.255.255.0

    access extensive list ip 192.168.72.0 inside_nat0_outbound allow 255.255.255.0 DM_INLINE_NETWORK_5 object-group

    inside_nat0_outbound list of allowed ip extended access all GrandVisionSoesterberg 255.255.255.0

    inside_nat0_outbound list of allowed ip extended access any Swabach 255.255.255.0

    access-list 200 scope allow tcp all fortis of fortis host object-group

    access extensive list ip VPN_Pool_2 outside_nat0_outbound allow 255.255.255.0 DM_INLINE_NETWORK_9 object-group

    outside_cryptomap_2 list extended access allowed object-group Hyperion DM_INLINE_NETWORK_1 255.255.255.0 ip

    outside_cryptomap_2 to access extended list ip 192.168.50.0 allow Hyperion 255.255.255.0 255.255.255.0

    Note Wireless_access_in of access list, select Hyperion / wifi access NAT rule.

    Access extensive list ip 192.168.40.0 Wireless_access_in allow Hyperion inactive 255.255.255.0 255.255.255.0

    Wireless_access_in list extended access deny ip 192.168.40.0 255.255.255.0 192.168.72.0 255.255.255.0

    Comment by Wireless_access_in-list of the traffic Internet access

    Access extensive list ip 192.168.40.0 Wireless_access_in allow 255.255.255.0 any

    standard access list splittunnelclientvpn allow 192.168.72.0 255.255.255.0

    splittunnelclientvpn list standard access allowed Hyperion 255.255.255.0

    standard access list splittunnelclientvpn allow Pearleshare 255.255.255.0

    splittunnelclientvpn list standard access allowed host 85.17.235.22

    splittunnelclientvpn list standard access allowed OracleThree 255.255.224.0

    standard access list splittunnelclientvpn allow 143.47.128.0 255.255.240.0

    splittunnelclientvpn list standard access allowed host inethost

    Standard access list SplittnlHyperion allow OracleThree 255.255.0.0

    Standard access list SplittnlOOD allow OracleThree 255.255.0.0

    Standard access list SplittnlOOD allow 143.47.128.0 255.255.240.0

    access extensive list ip 192.168.72.0 outside_cryptomap allow 255.255.255.0 DM_INLINE_NETWORK_6 object-group

    outside_cryptomap_1 list of allowed ip extended access all GrandVisionSoesterberg 255.255.255.0

    outside_cryptomap_3 list of allowed ip extended access any Swabach 255.255.255.0

    192.168.72.0 IP Access-list extended sheep 255.255.255.0 GrandVisionSoesterberg 255.255.255.0 allow

    192.168.72.0 IP Access-list extended sheep 255.255.255.0 VPN_Pool_2 255.255.255.0 allow

    pager lines 24

    Enable logging

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    MTU 1500 dmz

    MTU 1500 wireless

    local pool VPN_DHCP 192.168.72.220 - 192.168.72.235 255.255.255.0 IP mask

    mask 192.168.75.1 - 192.168.75.50 255.255.255.0 IP local pool VPN_Range_2

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ICMP allow any inside

    ICMP allow all outside

    ASDM image disk0: / asdm - 613.bin

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0 access-list sheep

    NAT (inside) 1 0.0.0.0 0.0.0.0

    NAT (wireless) 1 192.168.40.0 255.255.255.0

    public static tcp (indoor, outdoor) interface smtp smtp Mailsrv_Pearle_Europe netmask 255.255.255.255

    public static tcp (indoor, outdoor) interface ftp ftp netmask 255.255.255.255 Pearle-DC02

    public static 990 Pearle-DC02 990 netmask 255.255.255.255 interface tcp (indoor, outdoor)

    static (inside, outside) tcp 3389 3389 Mailsrv_Pearle_Europe netmask 255.255.255.255 interface

    public static tcp (indoor, outdoor) interface www Pearle-DC02 www netmask 255.255.255.255

    public static 40200 Pearle-DC02 40200 netmask 255.255.255.255 interface tcp (indoor, outdoor)

    public static tcp (indoor, outdoor) interface https Exchange2010 https netmask 255.255.255.255

    public static tcp (indoor, outdoor) interface h323 h323 LifeSize-PE-HQ netmask 255.255.255.255

    public static 60000 60000 LifeSize-PE-HQ netmask 255.255.255.255 interface tcp (indoor, outdoor)

    public static 60001 LifeSize-PE-HQ 60001 netmask 255.255.255.255 interface tcp (indoor, outdoor)

    public static 60002 LifeSize-PE-HQ 60002 netmask 255.255.255.255 interface tcp (indoor, outdoor)

    public static 60003 LifeSize-PE-HQ 60003 netmask 255.255.255.255 interface tcp (indoor, outdoor)

    public static 60004 LifeSize-PE-HQ 60004 netmask 255.255.255.255 interface tcp (indoor, outdoor)

    public static 60005 LifeSize-PE-HQ 60005 netmask 255.255.255.255 interface tcp (indoor, outdoor)

    public static 60006 LifeSize-PE-HQ 60006 netmask 255.255.255.255 interface tcp (indoor, outdoor)

    public static 60007 LifeSize-PE-HQ 60007 netmask 255.255.255.255 interface tcp (indoor, outdoor)

    public static 60008 LifeSize-PE-HQ 60008 netmask 255.255.255.255 interface tcp (indoor, outdoor)

    public static 60009 LifeSize-PE-HQ 60009 netmask 255.255.255.255 interface tcp (indoor, outdoor)

    public static (inside, outside) udp interface 60001 LifeSize-PE-HQ 60001 netmask 255.255.255.255

    public static (inside, outside) udp interface 60002 LifeSize-PE-HQ 60002 netmask 255.255.255.255

    public static (inside, outside) udp interface 60003 LifeSize-PE-HQ 60003 netmask 255.255.255.255

    public static (inside, outside) udp interface 60004 LifeSize-PE-HQ 60004 netmask 255.255.255.255

    public static (inside, outside) udp interface 60005 LifeSize-PE-HQ 60005 netmask 255.255.255.255

    public static (inside, outside) udp interface 60006 LifeSize-PE-HQ 60006 netmask 255.255.255.255

    public static (inside, outside) udp interface 60007 LifeSize-PE-HQ 60007 netmask 255.255.255.255

    public static (inside, outside) udp interface 60008 LifeSize-PE-HQ 60008 netmask 255.255.255.255

    public static (inside, outside) udp interface 60009 LifeSize-PE-HQ 60009 netmask 255.255.255.255

    public static (inside, outside) udp interface 60010 LifeSize-PE-HQ 60010 netmask 255.255.255.255

    public static (inside, outside) udp interface 60011 LifeSize-PE-HQ 60011 netmask 255.255.255.255

    public static (inside, outside) udp interface 60012 LifeSize-PE-HQ 60012 netmask 255.255.255.255

    public static (inside, outside) udp interface 60013 LifeSize-PE-HQ 60013 netmask 255.255.255.255

    public static (inside, outside) udp interface 60014 LifeSize-PE-HQ 60014 netmask 255.255.255.255

    public static (inside, outside) udp interface 60015 LifeSize-PE-HQ 60015 netmask 255.255.255.255

    public static (inside, outside) udp interface 60016 LifeSize-PE-HQ 60016 netmask 255.255.255.255

    public static (inside, outside) udp interface 60017 LifeSize-PE-HQ 60017 netmask 255.255.255.255

    public static (inside, outside) udp interface 60018 LifeSize-PE-HQ 60018 netmask 255.255.255.255

    public static (inside, outside) udp interface 60019 LifeSize-PE-HQ 60019 netmask 255.255.255.255

    public static (inside, outside) udp interface 60020 LifeSize-PE-HQ 60020 netmask 255.255.255.255

    public static (inside, outside) udp interface 60021 60021 LifeSize-PE-HQ netmask 255.255.255.255

    public static (inside, outside) udp interface 60022 LifeSize-PE-HQ 60022 netmask 255.255.255.255

    public static (inside, outside) udp interface 60023 LifeSize-PE-HQ 60023 netmask 255.255.255.255

    public static (inside, outside) udp interface 60024 LifeSize-PE-HQ 60024 netmask 255.255.255.255

    public static (inside, outside) udp interface 60025 LifeSize-PE-HQ 60025 netmask 255.255.255.255

    public static (inside, outside) udp interface 60026 LifeSize-PE-HQ 60026 netmask 255.255.255.255

    public static (inside, outside) udp interface 60027 LifeSize-PE-HQ 60027 netmask 255.255.255.255

    public static (inside, outside) udp interface 60028 LifeSize-PE-HQ 60028 netmask 255.255.255.255

    public static (inside, outside) udp interface 60029 LifeSize-PE-HQ 60029 netmask 255.255.255.255

    public static (inside, outside) udp interface 60030 LifeSize-PE-HQ 60030 netmask 255.255.255.255

    public static (inside, outside) udp interface 60031 LifeSize-PE-HQ 60031 netmask 255.255.255.255

    public static (inside, outside) udp interface 60032 LifeSize-PE-HQ 60032 netmask 255.255.255.255

    public static (inside, outside) udp interface 60033 LifeSize-PE-HQ 60033 netmask 255.255.255.255

    public static (inside, outside) udp interface 60034 LifeSize-PE-HQ 60034 netmask 255.255.255.255

    public static (inside, outside) udp interface 60035 LifeSize-PE-HQ 60035 netmask 255.255.255.255

    public static (inside, outside) udp interface 60036 LifeSize-PE-HQ 60036 netmask 255.255.255.255

    public static (inside, outside) udp interface 60037 LifeSize-PE-HQ 60037 netmask 255.255.255.255

    public static (inside, outside) udp interface 60038 LifeSize-PE-HQ 60038 netmask 255.255.255.255

    public static (inside, outside) udp interface 60039 LifeSize-PE-HQ 60039 netmask 255.255.255.255

    public static (inside, outside) udp interface 60040 60040 LifeSize-PE-HQ netmask 255.255.255.255

    public static Mailsrv_Pearle_Europe 7472 netmask 255.255.255.255 7472 interface tcp (indoor, outdoor)

    public static LanSweep-XP netmask 255.255.255.255 8001 8001 interface tcp (indoor, outdoor)

    public static 8002 8002 LanSweep-XP netmask 255.255.255.255 interface tcp (indoor, outdoor)

    public static LanSweep-XP netmask 255.255.255.255 8003 8003 interface tcp (indoor, outdoor)

    static (inside, outside) 193.173.12.194 tcp https Pearle-DC02 https netmask 255.255.255.255

    inside_access_in access to the interface inside group

    Access-group outside_access_in in interface outside

    Access-group Wireless_access_in in wireless interface

    Route outside 0.0.0.0 0.0.0.0 193.173.12.206 1

    Route outside OracleThree 255.255.224.0 193.173.12.198 1

    Route outside 143.47.128.0 255.255.240.0 193.173.12.198 1

    Route inside 172.27.0.0 255.255.255.0 Pearle-DC02 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    dynamic-access-policy-registration DfltAccessPolicy

    AAA authentication LOCAL telnet console

    the ssh LOCAL console AAA authentication

    Enable http server

    http 192.168.40.0 255.255.255.0 Wireless

    http 192.168.1.0 255.255.255.0 inside

    http 192.168.72.0 255.255.255.0 inside

    http GrandVisionSoesterberg 255.255.255.0 inside

    SNMP-server host inside 192.168.33.29 survey community public version 2 c

    location of Server SNMP Schiphol

    contact Server SNMP SSmeekes

    SNMP-Server Public community

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set esp-aes-256 GRANDVISION esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds

    cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map

    card crypto outside_map0 1 match address outside_cryptomap_1

    outside_map0 card crypto 1jeu pfs

    outside_map0 card crypto 1jeu peer 212.78.223.182

    outside_map0 card crypto 1jeu transform-set ESP ESP-3DES-SHA-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-ESP ESP-3DES-MD5 MD5-DES-SHA ESP-DES-MD5

    outside_map0 map 1 lifetime of security association set seconds 28800 crypto

    card crypto outside_map0 1 set security-association life kilobytes 4608000

    card crypto game 2 outside_map0 address outside_cryptomap_2

    outside_map0 crypto map peer set 2 193.173.12.193

    card crypto outside_map0 2 game of transformation-ESP ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5-DES-SHA ESP-DES-MD5

    life card crypto outside_map0 2 set security-association seconds 28800

    card crypto outside_map0 2 set security-association life kilobytes 4608000

    card crypto outside_map0 3 match address outside_1_cryptomap

    outside_map0 card crypto 3 set pfs

    outside_map0 card crypto 3 peers set 193.172.182.66

    outside_map0 crypto map 3 the value transform-set ESP-3DES-SHA

    life card crypto outside_map0 3 set security-association seconds 28800

    card crypto outside_map0 3 set security-association life kilobytes 4608000

    card crypto outside_map0 game 4 address outside_cryptomap

    outside_map0 card crypto 4 peers set 213.56.81.58

    outside_map0 4 set transform-set GRANDVISION crypto card

    life card crypto outside_map0 4 set security-association seconds 28800

    card crypto outside_map0 4 set security-association life kilobytes 4608000

    card crypto outside_map0 5 match address outside_cryptomap_3

    outside_map0 card crypto 5 set pfs

    outside_map0 crypto card 5 peers set 86.109.255.177

    outside_map0 card crypto 5 game of transformation-ESP ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5-DES-SHA ESP-DES-MD5

    life card crypto outside_map0 5 set security-association seconds 28800

    card crypto outside_map0 5 set security-association life kilobytes 4608000

    Crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map0 interface card crypto outside

    crypto ISAKMP allow inside

    crypto ISAKMP allow outside

    crypto ISAKMP enable dmz

    crypto ISAKMP enable wireless

    crypto ISAKMP policy 5

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet 192.168.72.0 255.255.255.0 inside

    Telnet timeout 5

    SSH 192.168.72.0 255.255.255.0 inside

    SSH GrandVisionSoesterberg 255.255.255.0 inside

    SSH 213.144.239.0 255.255.255.192 outside

    SSH timeout 5

    Console timeout 0

    management-access inside

    dhcpd dns 194.151.228.18 is 10.10.1.100

    dhcpd outside auto_config

    !

    dhcpd address 192.168.72.253 - 192.168.72.253 inside

    !

    dhcpd address dmz 192.168.50.10 - 192.168.50.50

    dhcpd enable dmz

    !

    dhcpd address wireless 192.168.40.10 - 192.168.40.99

    dhcpd dns 194.151.228.18 wireless interface

    dhcpd activate wireless

    !

    a basic threat threat detection

    host of statistical threat detection

    statistical threat detection port

    Statistical threat detection Protocol

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    Group Policy "pearle_vpn_Hyp only" internal

    attributes of Group Policy "pearle_vpn_Hyp only".

    value of server WINS 192.168.72.25

    value of server DNS 192.168.72.25

    Protocol-tunnel-VPN IPSec l2tp ipsec

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list SplittnlHyperion

    Split-dns value pearle.local

    internal pearle_vpn_OOD_only group policy

    attributes of the strategy of group pearle_vpn_OOD_only

    value of Split-tunnel-network-list SplittnlOOD

    internal pearle_vpn group policy

    attributes of the strategy of group pearle_vpn

    value of server WINS 192.168.72.25

    value of server DNS 192.168.72.25

    Protocol-tunnel-VPN IPSec l2tp ipsec svc

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list splittunnelclientvpn

    Pearle.local value by default-field

    Split-dns value pearle.local

    username anyone password encrypted password

    username something conferred

    VPN-group-policy pearle_vpn_OOD_only

    type of remote access service

    tunnel-group 193 type ipsec-l2l

    tunnel-group 193 ipsec-attributes

    pre-shared-key *.

    tunnel-group 193.173.12.193 type ipsec-l2l

    IPSec-attributes tunnel-group 193.173.12.193

    pre-shared-key *.

    NOCHECK Peer-id-validate

    type tunnel-group pearle_vpn remote access

    tunnel-group pearle_vpn General-attributes

    address pool VPN_Range_2

    Group Policy - by default-pearle_vpn

    pearle_vpn group of tunnel ipsec-attributes

    pre-shared-key *.

    type tunnel-group Pearle_VPN_2 remote access

    attributes global-tunnel-group Pearle_VPN_2

    address pool VPN_Range_2

    strategy-group-by default "pearle_vpn_Hyp only".

    IPSec-attributes tunnel-group Pearle_VPN_2

    pre-shared-key *.

    tunnel-group 213.56.81.58 type ipsec-l2l

    IPSec-attributes tunnel-group 213.56.81.58

    pre-shared-key *.

    tunnel-group 212.78.223.182 type ipsec-l2l

    IPSec-attributes tunnel-group 212.78.223.182

    pre-shared-key *.

    tunnel-group 86.109.255.177 type ipsec-l2l

    IPSec-attributes tunnel-group 86.109.255.177

    pre-shared-key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    inspect the pptp

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:7d4d9c7ca7c865d9e40f5d77ed1238eb

    : end

    ASDM image disk0: / asdm - 613.bin

    ASDM BESServer 255.255.255.255 inside location

    ASDM VPN_Pool_2 255.255.255.0 inside location

    ASDM OracleTwo 255.255.224.0 inside location

    ASDM OracleOne 255.255.240.0 inside location

    ASDM OracleThree 255.255.224.0 inside location

    ASDM location Exchange2010 255.255.255.255 inside

    ASDM location Grandvision 255.255.255.0 inside

    ASDM Grandvision2 255.255.255.240 inside location

    ASDM Grandvision3 255.255.255.0 inside location

    ASDM Grandvision4 255.255.255.255 inside location

    ASDM GrandVision_PC 255.255.255.255 inside location

    ASDM location LanSweep-XP 255.255.255.255 inside

    ASDM GrandVisionSoesterberg 255.255.255.0 inside location

    ASDM location Pearle-DC02 255.255.255.255 inside

    ASDM location Pearle-WDS 255.255.255.255 inside

    ASDM location Swabach 255.255.255.0 inside

    ASDM GrandVisionSoesterberg2 255.255.255.0 inside location

    don't allow no asdm history

    Where is that host (inethost)? Inside of the ASA, or on the internet (on the outside)?

    If it is outside, you must configure the NAT for the pool of vpn as you turn on the SAA.

    NAT (outside) 1 192.168.75.0 255.255.255.0

Maybe you are looking for