Remote host IP SLA ping by tunnel VPN with NAT

Hi all

I did some research here, but don't drop on similar issues. I'm sure that what I want is not possible, but I want to make sure.

I want to monitor a remote host on the other side a VPN. The local endpoint is my ASA.

The local INSIDE_LAN traffic is NATted to 10.19.124.1 before entering the VPN tunnel.

Interesting VPN traffic used ACL card crypto:

access-list 1 permit line ACL_TUNNELED_TO_REMOTE extended ip host 10.19.124.1 192.168.1.0 255.255.255.0

NAT rules:

Global (OUTSIDE) 2 10.19.124.1 mask 255.255.255.255 subnet

NAT (INSIDE_LAN) 2-list of access ACL_NAT_TO_REMOTE

NAT ACL

access-list 1 permit line ACL_NAT_TO_REMOTE extended ip 172.19.126.32 255.255.255.224 192.168.1.0 255.255.255.0

This configuration works very well for traffic from hosts in 172.19.126.32 255.255.255.224 is 192.168.1.0 255.255.255.0.

However, I like to use "ip sla" on the SAA itself to monitor a remote host with icmp ping 192.168.1.0. This would imply NATting one IP on the ASA to 10.19.124.1, but I do not see how to do this. None of the interfaces on the SAA are logical, to use as a source for this interface.

Thanks for ideas and comments.

Concerning

You are absolutely right, that unfortunately you won't able to NAT interface ASA IP address. NAT works for traffic passing by the ASA, don't not came from the SAA itself.

Tags: Cisco Security

Similar Questions

Tunnel VPN and NAT

Hello. I'm creating a tunnel VPN IPSec LAN - to - LAN of my ASA5510 to another network but met an obstacle bit. My counterpart on the other side has informed me that he already has a VPN tunnel to another company that has the same IP range as my network(10.100.16.0 /24) and can not create the tunnel.

I was wondering is it possible to use NAT on the VPN tunnel so that traffic that goes from my network over the VPN tunnel gets translated and my counterpart on the other side sees this reflects the range of IP addresses?

Thanks in advance for any help.

Hello

Yes, you can use the same address you already use for internet access.

Just update your list of access crypto to reflect the new address and to ensure that the third party did the same.

Jon

VPN with NAT Interface

Hello

I am trying to set up a VPN between a VLAN I have defined and another office. I have been using nat on the interface for internet access with a NAT pool.

I created the VPN with crypto card and the VPN is successfully registered.

The problem I encounter is that with NAT is enabled, internet access is working but I can ping through the VPN.

If I disable NAT, VPN works perfectly, but then him VLAN cannot access the internet.

What should I do differently?

Here is the config:

Feature: 2911 with security package

Local network: 10.10.104.0/24

Remote network: 192.168.1.0/24

Public beach: 65.49.46.68/28

crypto ISAKMP policy 104

BA 3des

preshared authentication

Group 2

lifetime 28800

ISAKMP crypto key REDACTED address 75.76.102.50

Crypto ipsec transform-set esp-3des esp-sha-hmac strongsha

OFFICE 104 ipsec-isakmp crypto map

defined by peer 75.76.102.50

Set transform-set strongsha

match address 104

interface GigabitEthernet0/0

IP 65.49.46.68 255.255.255.240

penetration of the IP stream

NAT outside IP

IP virtual-reassembly

full duplex

Speed 100

standby mode 0 ip 65.49.46.70

0 6 2 sleep timers

standby 0 preempt

card crypto OFFICE WAN redundancy

interface GigabitEthernet0/2.104

encapsulation dot1Q 104

IP 10.10.104.254 255.255.255.0

IP nat pool wan_access 65.49.46.70 65.49.46.70 prefix length 28

overload of IP nat inside source list 99 pool wan_access

access-list 99 permit 10.10.104.0 0.0.0.255

access-list 104. allow ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 104. allow ip 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255

access-list 104 allow icmp 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 104 allow icmp 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255

ISAKMP crypto #sh her

IPv4 Crypto ISAKMP Security Association

DST CBC conn-State id

65.49.46.70 75.76.102.50 QM_IDLE 1299 ACTIVE

Hello!

Please, make these changes:

extended Internet-NAT IP access list

deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

IP 10.10.104.0 allow 0.0.0.255 any

IP nat inside source list Internet-NAT pool access-wan overload

* Please do not remove the old NAT instance until you add that above.

Please hold me.

Thank you!

Sent by Cisco Support technique Android app

Publish a server with NAT anchored through a tunnel VPN with ASA

Hi all

Thanks in advance for helping me out - I know somebody did, and I have trouble finding how do. I don't know that I'm missing something simple.

I have a client who wants to view a DVR device through a VPN tunnel that is published through the public firewall to collocation. Endpoint DVR is endpoint ip assigned dynamically which tunnelle the host on demand (I know that the tunnel could fall).

So I think / thought I could hairpin hair/policy nat this, but I'm not the best at this.

Let's see if I can get this

IP public 1.1.1.1\

> External interface of ASA

2.2.2.2 / private ip

My config as I know it is pertinant is as follows:

permit same-security-traffic intra-interface

list of allowed incoming access extended ip any host 168.215.x.x

Access-group interface incoming outside

public static 168.215.x.x (outside, outside) 10.10.x.xnetmask 255.255.255.255

I am running version 8.2.5 of the image of the SAA.

If you could take a look and let me know what Miss me you please.

Thank you

Hello

The problem here is of course the fact that we can not configure NAT0 without causing all traffic from the remote Internet can flow through the VPN connection.

So I wonder if another type of NAT configuration would actually work.

I would call it static political identity NAT if such a name exists yet.

Something like that

Note of DVR-POLICY-NAT-list of Direct HTTP access to VPN traffic

allow to Access-list DVR-POLICY-NAT tcp host 10.10.2.253 eq 80 a

public static 10.10.2.53 (inside, outside) access list DVR-POLICY-NAT

This should basically do what
- When the DVR is sending any traffic source TCP TCP/80 (essentially the traffic back to the connection from the main site) to ANY destination address (The Internet) then the host must translate to himself.
- If we consider that NAT is performed before the VPN rules are processed this should mean that since we have concerns address itself, it must match the VPN rule only in this particular case where the traffic is TCP/80, which could only be the result of her replying to a link any destination TCP/80)
- Which leads me to believe it shouldn't cause any problems with the Central connection on remote site (NAT0 is processed before political static NAT) or the RECORDER to Internet
- Unless the DVR must be accessible directly via the Internet connection of the remote site. (He would send his answers to these HTTP connections outside with the originating source IP address) Or maybe even completely before connecting the phase failure. I have not tested.
Hope this helps

Be sure to mark it as answered in the affirmative. And/or useful response rate.

Ask more if necessary.

EDIT: typos

-Jouni

L2l VPN with nat

Hi all

I'm quite inexperienced in this subject and would appreciate advice on this

I need to create a VPN tunnel between our site and a remote site.

On our site, we are a network 192.168.0.X our external ip address is 12.53.150.100

We need to connect to the site is 69.144.38.48

We need to move from host to host meaning 192.168.0.97--> 69.144.38.50 and they want our ip to translate to 10.9.250.1

Thanks in advance

Jason

Are you familiar with the establishment of a regular L2L tunnel? In addition to this, you just create a nat policy:

access-list extended 100 permit ip host 192.168.0.97 69.144.38.50

public static 10.9.250.1 (inside, outside) - access list 100

When you define your ACL crypto, you specify 10.9.250.1 as the source instead of 192.168.0.97.

Let me know if you need help most.

VPN with NAT

I'm sure this question has been asked several times, but I want to assure you that I understand before proceeding.

I set up a site to site VPN IPSec between two ASAs.

I want to an internal host NAT which link to the counterpart of my VPN network. So I need to make sure that traffic from this host internal is NATted before entering the VPN tunnel as "interesting traffic.

So let's say that distance 192.168.20.0/24 network connects via the IPSec VPN tunnel with their peers, 65.200.1.1 and 198.14.7.10, to host the 10.100.1.7 on my network.

I want NAT host 10.100.1.7 to 192.168.100.5 to the remote network connects to the 192 address, not the 10

How can I do this?

(I use an ASA 5505)

Hello Colin,

That's right, it's one of the great things about the changes on the version 8.3 and prior. You can create a political rule of nat in a single line.

Please let me know if you understand this or if there is something else I can do for you.

Evaluate the useful ticket.

Have a good night,

Julio

Problem with tunnel IPSEC with NAT

Hello

I had an ipsec tunnel between a former Cisco router at a remote site. I'm the config 887 to an ASA migration. The remote site cannot establish the tunnel. This is the only site having problems. There are one number of other sites remote connection back without problem.

The Setup is

192.168.1.x (main site inside) - ASA - 86.x.x.x (outside) - Internet - 159.x.x.x (side remote outdoors) - Firewall - 10.10.10.x

The remote site will not accept the 192.168.1.x range so I'm NATing 192.168.50.x which is what they want to see

The config I have is

network of the NAT_TO_Remote1 object
192.168.50.0 subnet 255.255.255.0
network of the Remote1 object
subnet 10.10.10.0 255.255.252.0

NAT NAT_TO_Remote1 (Interior, exterior) destination 192.168.1.0 source static static Remote1 Remote1

IKEv1 crypto policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400

Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 3DES-SHA1

card crypto Outside_map 10 corresponds to the address Qualcom_VPN
card crypto Outside_map 10 set peer 159.x.x.x
card crypto Outside_map 10 set transform-set 3DES-SHA1 ikev1
card crypto Outside_map 10 set pfs Group1
Outside_map interface card crypto outside

RemoteSite_VPN list extended access allowed host ip 192.168.50.20 10.10.10.0 255.255.252.0
RemoteSite_VPN list extended access allowed host ip 192.168.50.30 10.10.10.0 255.255.252.0
RemoteSite_VPN list extended access allowed host ip 192.168.50.40 10.10.10.0 255.255.252.0

tunnel-group 159.x.x.x type ipsec-l2l
tunnel-group 159.x.x.x General-attributes
Group Policy - by default-RemoteSites
159.x.x.x group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.

I was wondering if I'm missing something obvious here.

Hello

You must check the IPSEC transform set and see if they have enabled PFS group or not?

card crypto Outside_map 10 set pfs Group1

Try using group2, or turn it off.

Kind regards

Aditya

Please evaluate the useful messages and mark the correct answers.

LAN to LAN VPN with NAT - solved!

Hello world

I have problems with a VPN L2L is implemented and logged, however when traffic comes from the other side of the tunnel it is not the host to internal network using a static NAT. Inside host 172.18.30.225 is current NATted to yyy.30.49.14 which is an IP address on the DMZ (yyy.30.49.0 255.255.255.240) Interface.

Here is the configuration

object-group network NET Tunnel
network-host xxx.220.129.134 object

Access tunnel list - extended ACL permit ip host yyy.30.49.14 object-group NET Tunnel

correspondence address card crypto MAP_Tunnel 20 Tunnel-ACL

the Tunnel-iServer-NAT object network
Home yyy.30.49.14
network of the Tunnel and drop-in iServer object
Home 172.18.30.225

network of the Tunnel and drop-in iServer object
NAT (internal, DMZ) static Tunnel-iServer-NAT

I hope that it is enough for someone to help me.

Thank you

M

Version 8.3.1 ASA

Post edited by: network operations

The internal host does live on the network DMZ or internal? If she lives on the internal network, you can not NAT to the DMZ to interface and make it out of the external Interface, assuming that the external interface is the interface of VPN endpoint. If you terminate the VPN on the DMZ interface and the internal host lives on the internal network, then that's fine.

IOS VPN with NAT need help with ACL?

What I forget? I have tried other positions, studied bugs known with 12.2 (13) T1, etc. workaround solutions, but perhaps my other choice of configuration interfere with my VPN configuration.

I can connect, authenticate locally, very well. Stats of Cisco VPN client 3.6.3 show I'm Encrypting traffic on the protected networks, but I can not all traffic through internal hosts once I've connected.

I removed security tags and replaced all the public IP addresses to fake in hope that someone can point me to what is obvious!

Thank you very much.

----------

Current configuration: 5508 bytes

!

! 22:24:38 PST configuration was last modified Thursday February 20, 2003 by kevin

!

version 12.2

horodateurs service debug uptime

Log service timestamps uptime

encryption password service

!

AAA new-model

!

AAA authentication login userauthen local

AAA authorization groupauthor LAN

AAA - the id of the joint session

IP subnet zero

!

IP domain name mondomaine.fr

name of the IP-server 199.13.28.12

name of the IP-server 199.13.29.12

!

IP inspect the audit trail

IP inspect high 1100 max-incomplete

IP inspect a high minute 1100

inspect the tcp IP Ethernet_0_1 name

inspect the IP udp Ethernet_0_1 name

inspect the IP name Ethernet_0_1 cuseeme

inspect the IP name Ethernet_0_1 ftp

inspect the IP h323 Ethernet_0_1 name

inspect the IP rcmd Ethernet_0_1 name

inspect the IP name Ethernet_0_1 realaudio

inspect the IP name smtp Ethernet_0_1

inspect the name Ethernet_0_1 streamworks IP

inspect the name Ethernet_0_1 vdolive IP

inspect the IP name Ethernet_0_1 sqlnet

inspect the name Ethernet_0_1 tftp IP

inspect the IP name Ethernet_0_1 http java-list 99

inspect the name Ethernet_0_1 rtsp IP

inspect the IP name Ethernet_0_1 netshow

inspect the tcp IP Ethernet_0_0 name

inspect the IP name Ethernet_0_0 ftp

inspect the IP udp Ethernet_0_0 name

audit of IP notify Journal

Max-events of po verification IP 100

!

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

ISAKMP crypto nat keepalive 20

!

ISAKMP crypto client configuration group vpngroup

xxxxxxxxx key

DNS 199.13.28.12 199.13.29.12

domain mydomain.com

pool vpnpool

ACL 110

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

!

!

map clientmap client to authenticate crypto list userauthen

card crypto clientmap isakmp authorization list groupauthor

client configuration address map clientmap crypto answer

10 ipsec-isakmp crypto map clientmap Dynamics dynmap

!

MTA receive maximum-recipients 0

!

!

interface Ethernet0/0

Description connected to the Internet

IP 199.201.44.198 255.255.255.248

IP access-group 101 in

NAT outside IP

inspect the IP Ethernet_0_0 in

no ip route cache

no ip mroute-cache

Half duplex

clientmap card crypto

!

interface Serial0/0

no ip address

Shutdown

!

interface Ethernet0/1

Connected to the private description

IP 192.168.1.254 255.255.255.0

IP access-group 100 to

IP nat inside

inspect the IP Ethernet_0_1 in

Half duplex

!

IP local pool vpnpool 192.168.2.201 192.168.2.210

period of translation nat IP 119

!!

!! -removed the following line for VPN configuration

!! IP nat inside source list 1 interface Ethernet0/0 overload

!! -replaced by the next line...

IP nat inside source map route sheep interface Ethernet0/0 overload

IP nat inside source 192.168.1.1 static 199.201.44.197

IP classless

IP route 0.0.0.0 0.0.0.0 199.201.44.193 permanent

IP http server

7 class IP http access

local IP http authentication

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 5 permit 192.5.41.40

access-list 5 permit 192.5.41.41

access-list 5 refuse any

access-list 7 permit 192.168.1.0 0.0.0.255

access-list 7 refuse any

access-list 99 refuse any

access-list 100 permit udp any eq rip all rip eq

access-list 100 permit tcp 192.168.1.1 host any eq www

access-list 100 permit ip 192.168.1.1 host everything

access list 100 permit tcp host 192.168.1.2 any eq www

access-list 100 permit ip 192.168.1.2 host everything

access-list 100 deny ip 192.168.1.253 host everything

access ip-list 100 permit a whole

access-list 101 deny host ip 199.201.44.197 all

access-list 101 permit tcp any host 199.201.44.197 eq 22

access-list 101 permit tcp any host 199.201.44.197 eq www

access-list 101 permit tcp any host 199.201.44.197 eq 115

access-list 101 permit icmp any host 199.201.44.197

access list 101 ip allow any host 199.201.44.198

access-list 101 permit tcp any host 199.201.44.197 eq 8000

access-list 101 permit tcp any host 199.201.44.197 eq 8080

access-list 101 permit tcp any host 199.201.44.197 eq 9090

access-list 101 permit udp any host 199.201.44.197 eq 7070

access-list 101 permit udp any host 199.201.44.197 eq 554

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 115 permit ip 192.168.1.0 0.0.0.255 any

!

sheep allowed 10 route map

corresponds to the IP 115

!

Line con 0

exec-timeout 0 0

password 7 XXXXXXXXXXXXXXX

line to 0

line vty 0 4

password 7 XXXXXXXXXXXXXXXX

!

NTP-period clock 17208655

source NTP Ethernet0/0

peer NTP access-Group 5

NTP 7 use only group-access

NTP master 3

NTP 192.5.41.41 Server

NTP 192.5.41.40 Server

!

end

----------

Config looks OK, you should be able to get for each internal host EXCEPT 192.168.1.1 with this configuration. If you do a ' sho cry ipsec his 'you see Pkts Decaps increment, indicating that you see the traffic of the remote client? " Do you not see Pkts Encaps increment, indicating that you send a response réécrirait the client to the internal host.

For what is 192.168.1.1, because you have this:

> ip nat inside source 192.168.1.1 static 199.201.44.197

It substitutes for this:

> ip nat inside source map route sheep interface Ethernet0/0 overload

for this host traffic only and therefore back for just this host is always NAT would have even if you don't want it to be. To work around to send traffic to this host through an interface of closure with no NAT enabled on it, that it is NAT would have stops and allows you to connect via VPN. You can see http://www.cisco.com/warp/public/707/static.html for a detailed explanation, but basically, we must add this:

loopback interface 0

IP 1.1.1.1 255.255.255.0

interface ethernet0/1

Static IP policy route map

permissible static route map 10

match address 120

set ip next-hop 1.1.1.2

access-list 120 allow host ip 192.168.1.1 192.168.2.0 0.0.0.255

L2l VPN with NAT static to hide the IP internal on Cisco 1841 ISR

I configured a VPN L2L on a Cisco 1841 ISR. I'm statically from some of my internal hosts to IPS that are included in encrypted traffic. Please note that not all internal hosts are underway using a NAT. I am doing this for hidden some of the actual IP addresses on the inside network. I confirmed that the VPN works as well as natives of VPN traffic. I configured VPN L2L traditionally on the Cisco ASA 5500 Series devices, and this is my first attempt with HIA of 1841. I want just the other to take a glance to see if I missed something, or could I effectively part of the configuration. All comments are welcome.

VPN-RTR-01 #show run
Building configuration...

Current configuration: 9316 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname VPN-RTR-01
!
boot-start-marker
boot-end-marker
!
! type map necessary for vwic/slot-slot 0/0 control
logging buffered 51200 warnings
no console logging
enable secret 5 xxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxx
!
No aaa new-model
IP cef
!
!
!
!
no ip domain search
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
!
!
Crypto pki trustpoint TP-self-signed-2010810276
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2010810276
revocation checking no
rsakeypair TP-self-signed-2010810276
!
!
TP-self-signed-2010810276 crypto pki certificate chain
certificate self-signed 01
30820246 308201AF A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 32303130 38313032 6174652D 3736301E 31393334 OF 30333131 170 3131
30365A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 30313038 65642D
31303237 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100C3FF F5EADA3B BCB06873 5577DB24 2AD8ECBB 00D53F1A 37342E2E 5CC9202A
7F128E51 016CD6EC D8734F4D 28BE8B0A FCD6B714 8D13585B 7844C09C 79BA8F13
B75E4E98 25D91F02 A4773F66 83407A8B 85447 64 A6889DD9 6085857F 737F8A9F
749F4297 8804C4F3 D28A6C33 F4137BBE 67F9B945 F239789E 1303AD6D DB98B7E2
52B 50203 010001 HAS 3 1 130101 FF040530 030101FF 30190603 0F060355 6E306C30
551 1104 12301082 0E535458 2D56504E 2 525452 2 303130 1 230418 1F060355 D
3B 232987 30168014 2CBB9DD0 B34B7243 7F8095C8 7AFBEFE3 301D 0603 551D0E04
1604143B 2329872C BB9DD0B3 4B72437F 8095C87A FBEFE330 0D06092A 864886F7
010104 05000381 8100A 831 8E05114A DE8AF6C5 4CB45914 36B6427C 42B30F07 0D
C5C47BC9 0110BCAA A985CB3F 5CBB855B B12D3225 B8021234 86D1952C 655071E4
66C18F42 F84492A9 835DE884 341B3A95 A3CED4E8 F37E7609 88F52640 741D74D2
37842 D 39 E5F2B208 0D4D57E1 C5633DEB ACDFC897 7D50683D 05B5FDAA E42714B4
DD29E815 E9F90877 4 D 68
quit smoking
username privilege 15 password 7 xxxxxxxxxxxxxxx lhocin
username privilege 15 password 7 xxxxxxxxxxxxxxx jsmith
!
!
!
!
crypto ISAKMP policy 5
BA aes 256
preshared authentication
Group 2
lifetime 28800
xxxxxxxxxxxxxxx key address 172.21.0.1 crypto ISAKMP xauth No.
!
!
Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
!
card crypto SITES REMOTE VPN-ipsec-isakmp 1
defined by peer 172.21.0.1
game of transformation-ESP-AES256-SHA
match address VPN-REMOTE-SITE
!
!
!
interface FastEthernet0/0
no ip address
automatic speed
full-duplex
No mop enabled
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
!
interface FastEthernet0/0.2
Description $FW_INSIDE$
encapsulation dot1Q 61
IP 10.1.0.34 255.255.255.224
IP access-group 100 to
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/0.3
Description $FW_OUTSIDE$
encapsulation dot1Q 111
IP 172.20.32.17 255.255.255.224
IP access-group 101 in
Check IP unicast reverse path
NAT outside IP
IP virtual-reassembly
crypto VPN-REMOTE-SITE map
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 172.20.32.1
IP route 10.16.0.0 255.255.0.0 10.1.0.33
IP route 10.19.0.0 255.255.0.0 10.1.0.33
IP route 10.191.0.0 255.255.0.0 10.1.0.33
IP route 10.192.0.0 255.255.0.0 10.1.0.33
IP route 192.168.20.48 255.255.255.240 10.1.0.33
!
!
IP http server
local IP http authentication
IP http secure server
IP http timeout policy inactive 600 life 86400 request 10000
IP nat inside source map route NO_NAT interface FastEthernet0/0.3 overload
IP nat inside source static 10.191.0.11 192.168.20.54 STATIC_NAT_7 card expandable route
IP nat inside source static 10.191.0.12 192.168.20.55 STATIC_NAT_8 card expandable route
IP nat inside source static 10.192.1.1 192.168.20.56 STATIC_NAT_1 card expandable route
IP nat inside source static 10.192.1.2 192.168.20.57 STATIC_NAT_2 card expandable route
IP nat inside source static 10.192.1.3 192.168.20.58 STATIC_NAT_3 card expandable route
IP nat inside source static 10.192.1.4 192.168.20.59 STATIC_NAT_4 card expandable route
IP nat inside source static 10.192.1.5 192.168.20.61 STATIC_NAT_5 card expandable route
IP nat inside source static 10.16.1.6 192.168.20.62 STATIC_NAT_6 card expandable route
!
VPN-REMOTE-SITE extended IP access list
IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.39
IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.40
inside_nat_static_1 extended IP access list
permit ip host 10.192.1.1 10.174.52.39
permit ip host 10.192.1.1 10.174.52.40
refuse an entire ip
inside_nat_static_2 extended IP access list
permit ip host 10.192.1.2 10.174.52.39
permit ip host 10.192.1.2 10.174.52.40
refuse an entire ip
inside_nat_static_3 extended IP access list
permit ip host 10.192.1.3 10.174.52.39
permit ip host 10.192.1.3 10.174.52.40
refuse an entire ip
inside_nat_static_4 extended IP access list
permit ip host 10.192.1.4 10.174.52.39
permit ip host 10.192.1.4 10.174.52.40
refuse an entire ip
inside_nat_static_5 extended IP access list
permit ip host 10.192.1.5 10.174.52.39
permit ip host 10.192.1.5 10.174.52.40
refuse an entire ip
inside_nat_static_6 extended IP access list
permit ip host 10.16.1.6 10.174.52.39
permit ip host 10.16.1.6 10.174.52.40
refuse an entire ip
inside_nat_static_7 extended IP access list
permit ip host 10.191.0.11 10.174.52.39
permit ip host 10.191.0.11 10.174.52.40
refuse an entire ip
inside_nat_static_8 extended IP access list
permit ip host 10.191.0.12 10.174.52.39
permit ip host 10.191.0.12 10.174.52.40
refuse an entire ip
!
access-list 100 remark self-generated by the configuration of the firewall SDM
Access-list 100 = 1 SDM_ACL category note
access-list 100 deny ip 172.20.32.0 0.0.0.31 all
access-list 100 deny ip 255.255.255.255 host everything
access-list 100 deny ip 127.0.0.0 0.255.255.255 everything
access ip-list 100 permit a whole
Remark SDM_ACL category of access list 101 = 17
access-list 101 permit udp any host 192.168.20.62
access-list 101 permit tcp any host 192.168.20.62
access-list 101 permit udp any host 192.168.20.61
access-list 101 permit tcp any host 192.168.20.61
access-list 101 permit udp any host 192.168.20.59
access-list 101 permit tcp any host 192.168.20.59
access-list 101 permit udp any host 192.168.20.58
access-list 101 permit tcp any host 192.168.20.58
access-list 101 permit udp any host 192.168.20.57
access-list 101 permit tcp any host 192.168.20.57
access-list 101 permit udp any host 192.168.20.56
access-list 101 permit tcp any host 192.168.20.56
access-list 101 permit udp any host 192.168.20.55
access-list 101 permit tcp any host 192.168.20.55
access-list 101 permit udp any host 192.168.20.54
access-list 101 permit tcp any host 192.168.20.54
access-list 101 permit ip 10.174.52.40 host 192.168.20.48 0.0.0.15
access-list 101 permit ip 10.174.52.39 host 192.168.20.48 0.0.0.15
access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq non500-isakmp
access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq isakmp
access-list 101 permit esp 172.21.0.1 host 172.20.32.17
access-list 101 permit ahp host 172.21.0.1 172.20.32.17
access-list 101 permit icmp any host 172.20.32.17 - response
access-list 101 permit icmp any host 172.20.32.17 time limit
access-list 101 permit icmp any unreachable host 172.20.32.17
access-list 101 permit udp any host isakmp 172.20.32.17 newspaper eq
access-list 101 permit udp any host 172.20.32.17 eq non500-isakmp
access-list 101 permit tcp any host 172.20.32.17 eq 443
access-list 101 permit tcp any host 172.20.32.17 eq 22
access-list 101 permit tcp any host 172.20.32.17 eq cmd
access-list 101 deny ip 10.1.0.32 0.0.0.31 all
access-list 101 deny ip 10.0.0.0 0.255.255.255 everything
access-list 101 deny ip 172.16.0.0 0.15.255.255 all
access-list 101 deny ip 192.168.0.0 0.0.255.255 everything
access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
access-list 101 deny ip 255.255.255.255 host everything
access-list 101 deny host ip 0.0.0.0 everything
access-list 101 deny ip any any newspaper
access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.40
access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.39
access-list 102 permit ip 10.1.0.32 0.0.0.31 all
!
allowed NO_NAT 1 route map
corresponds to the IP 102
!
STATIC_NAT_8 allowed 10 route map
inside_nat_static_8 match ip address
!
STATIC_NAT_5 allowed 10 route map
inside_nat_static_5 match ip address
!
STATIC_NAT_4 allowed 10 route map
inside_nat_static_4 match ip address
!
STATIC_NAT_7 allowed 10 route map
inside_nat_static_7 match ip address
!
STATIC_NAT_6 allowed 10 route map
inside_nat_static_6 match ip address
!
STATIC_NAT_1 allowed 10 route map
inside_nat_static_1 match ip address
!
STATIC_NAT_3 allowed 10 route map
inside_nat_static_3 match ip address
!
STATIC_NAT_2 allowed 10 route map
inside_nat_static_2 match ip address
!
!
!
control plan
!
!
!
Line con 0
exec-timeout 30 0
line to 0
line vty 0 4
privilege level 15
local connection
transport input telnet ssh
line vty 5 15
privilege level 15
local connection
transport input telnet ssh
!
Scheduler allocate 20000 1000
end

VPN-RTR-01 #.

Hello

Configuration looks ok to me.

yet you can cross-reference with the following link:

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080223a59.shtml

I hope this helps.

Kind regards

Anisha

P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

concentrator 3000 2 lan lan VPN with NAT

I need to configure a vpn lan-2lan between 2 3030 concentrators (separate companies) on the Internet. My company assigns a small subnet for hosts sitting on the client network. The customer wants to use their own IP subnet and assign IP addresses within their range. So, they do static NAT on their hub. Is this possible? Or have they NAT s pc before arriving to the hub? Any help much appreciated.

Hello

Concentrator VPN supports the NAT.

http://Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml

HTH

Kind regards

GE.

IOS IPSEC VPN with NAT - translation problem

I'm having a problem with IOS IPSEC VPN configuration.

/*

crypto ISAKMP policy 10

BA 3des

preshared authentication

Group 2

ISAKMP crypto keys TEST123 address 205.xx.1.4

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN

!

!

Map 10 CRYPTO map ipsec-isakmp crypto

the value of 205.xx.1.4 peer

transformation-CHAIN game

match address 115

!

interface FastEthernet0/0

Description FOR the EDGE ROUTER

IP address 208.xx.xx.33 255.255.255.252

NAT outside IP

card crypto CRYPTO-map

!

interface FastEthernet0/1

INTERNAL NETWORK description

IP 10.15.2.4 255.255.255.0

IP nat inside

access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3

*/

(This configuration is incomplete / NAT configuration needed)

Here is the solution that I'm looking for:

When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.

For more information, see "SCHEMA ATTACHED".

Any help is greatly appreciated!

Thank you

Clint Simmons

Network engineer

You can try the following NAT + route map approach (method 2 in this link)

http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

Thank you

Raja K

L2l - VPN with NAT incoming

Cisco ASA (site A) with 2 L2L-VLNs (call the Site B and Site C)

I need "inbound nat' Site-C network.

Let me explain better:

-Site-B (10.14.63.0/24) accepts only traffic between the local network of the site-A (10.1.6.0/24), and I can't change the VPN.

-Now, I've logged on the Site-A site-C, and this must also communicate with site-B

-So I thought I have nat, the network of Site-C (10.168.3.0/24) in order to present with an IP of A Site.

Possible?

And how to configure the ASA at the Site-A?

Thank you

Claudio

Hello

What is the level of software on the Site to ASA?

-Jouni

How to start the tunnels without the need of ping to a remote host

That's the big question!

How can you tunnels without need to ping to a remote host in the target network? Our clients get hung on a regular basis because of this problem. 10 points for the first answer!

Hello

You can configure KeepAlive on end VPN.

For example

On PIX

ISAKMP keepalive 2 30

On IOS

ISAKMP crypto keepalive 10 periodicals

If it does not solve that and you need some kind of traffic you can configure NTP on the link VPN (source of the private interface it is so interesting traffic for VPN).

HTH

Sangaré

HTTPS protocol between the client vpn and host of the internet through tunnel ipsec-parody

Hello

We have a cisco ASA 5505 and try to get the next job:

ip (192.168.75.5) - connected to the Cisco ASA 5505 VPN client

the customer gets a specific route for an internet address (79.143.218.35 255.255.255.255 192.168.75.1 192.168.75.5 100)

When I try to access the url of the client, I get a syn sent with netstat

When I try trace ASA package, I see the following:

1

FLOW-SEARCH

ALLOW

Not found no corresponding stream, creating a new stream

2

ROUTE SEARCH

entry

ALLOW

in 0.0.0.0 0.0.0.0 outdoors

3

ACCESS-LIST

Journal

ALLOW

Access-group outside_access_in in interface outside

outside_access_in list extended access permitted tcp everything any https eq

access-list outside_access_in note hyperion outside inside

4

IP-OPTIONS

ALLOW

5

CP-PUNT

ALLOW

6

VPN

IPSec-tunnel-flow

ALLOW

7

IP-OPTIONS

ALLOW

8

VPN

encrypt

ALLOW

outdoors

upward

upward

outdoors

upward

upward

drop

(ipsec-parody) Parody of detected IPSEC

When I try the reverse (i.e. from the internet host to vpn client), it seems to work:

1

FLOW-SEARCH

ALLOW

Not found no corresponding stream, creating a new stream

2

ROUTE SEARCH

entry

ALLOW

in 192.168.75.5 255.255.255.255 outside

3

ACCESS-LIST

Journal

ALLOW

Access-group outside_access_in in interface outside

outside_access_in of access allowed any ip an extended list

4

IP-OPTIONS

ALLOW

5

VPN

IPSec-tunnel-flow

ALLOW

6

VPN

encrypt

ALLOW

My question is why this phenomenon happens and how solve us this problem?

Thanks in advance, Sipke

our running-config:

: Saved

:

ASA Version 8.0 (4)

!

ciscoasa hostname

domain somedomain

activate the password - encrypted

passwd - encrypted

names of

name 10.10.1.0 Hyperion

name 164.140.159.x xxxx

name 192.168.72.25 xxxx

name 192.168.72.24 xxxx

name 192.168.72.196 xxxx

name 192.168.75.0 vpn clients

name 213.206.236.0 xxxx

name 143.47.160.0 xxxx

name 141.143.32.0 xxxx

name 141.143.0.0 xxxx

name 192.168.72.27 xxxx

name 10.1.11.0 xxxx

name 10.1.2.240 xxxx

name 10.1.1.0 xxxx

name 10.75.2.1 xxxx

name 10.75.2.23 xxxx

name 192.168.72.150 xxxx

name 192.168.33.0 xxxx

name 192.168.72.26 xxxx

name 192.168.72.5 xxxx

name 192.168.23.0 xxxx

name 192.168.34.0 xxxx

name 79.143.218.35 inethost

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.72.254 255.255.255.0

OSPF cost 10

!

interface Vlan2

nameif outside

security-level 0

IP address 193.173.x.x 255.255.255.240

OSPF cost 10

!

interface Vlan3

Shutdown

nameif dmz

security-level 50

192.168.50.1 IP address 255.255.255.0

OSPF cost 10

!

interface Vlan23

nameif wireless

security-level 80

192.168.40.1 IP address 255.255.255.0

OSPF cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

switchport access vlan 23

!

interface Ethernet0/7

!

passive FTP mode

clock timezone THATS 1

clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

DNS lookup field inside

DNS server-group DefaultDNS

domain pearle.local

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

object-group service RDP - tcp

Remote Desktop Protocol Description

EQ port 3389 object

object-group service UDP - udp VC

range of object-port 60000 60039

object-group VC - TCP tcp service

60000 60009 object-port Beach

object-group service tcp Fortis

1501 1501 object-port Beach

Beach of port-object 1502-1502

Beach of port-object sqlnet sqlnet

1584 1584 object-port Beach

1592 1592 object-port Beach

object-group service tcp fortis

1592 1592 object-port Beach

Beach of port-object 1502-1502

1584 1584 object-port Beach

Beach of port-object sqlnet sqlnet

1501 1501 object-port Beach

1500 1500 object-port Beach

the DM_INLINE_NETWORK_1 object-group network

object-network 192.168.50.0 255.255.255.0

object-network 192.168.72.0 255.255.255.0

object-network 192.168.40.0 255.255.255.0

object-network VPN_Pool_2 255.255.255.0

the DM_INLINE_NETWORK_2 object-group network

object-network 192.168.50.0 255.255.255.0

object-network 192.168.72.0 255.255.255.0

object-group network inside-networks

object-network 192.168.72.0 255.255.255.0

WingFTP_TCP tcp service object-group

Secure FTP description

port-object eq 989

port-object eq 990

DM_INLINE_TCP_1 tcp service object-group

port-object eq ftp

port-object eq ftp - data

Group object WingFTP_TCP

DM_INLINE_TCP_2 tcp service object-group

port-object eq ftp

port-object eq ftp - data

Group object WingFTP_TCP

the DM_INLINE_NETWORK_3 object-group network

object-network 192.168.72.0 255.255.255.0

object-network VPN_Pool_2 255.255.255.0

the DM_INLINE_NETWORK_4 object-group network

object-network 192.168.72.0 255.255.255.0

object-network VPN_Pool_2 255.255.255.0

object-group network Oracle

network-object OracleTwo 255.255.224.0

network-object OracleOne 255.255.240.0

network-object OracleThree 255.255.224.0

the DM_INLINE_NETWORK_5 object-group network

network-object Grandvision 255.255.255.0

network-object Grandvision2 255.255.255.240

object-network Grandvision3 255.255.255.0

host of the object-Network Grandvision4

host of the object-Network GrandVision_PC

the DM_INLINE_NETWORK_6 object-group network

network-object Grandvision 255.255.255.0

network-object Grandvision2 255.255.255.240

object-network Grandvision3 255.255.255.0

host of the object-Network Grandvision4

host of the object-Network GrandVision_PC

the DM_INLINE_NETWORK_7 object-group network

network-object Grandvision 255.255.255.0

network-object Grandvision2 255.255.255.240

object-network Grandvision3 255.255.255.0

host of the object-Network GrandVision_PC

the DM_INLINE_NETWORK_8 object-group network

network-object Grandvision 255.255.255.0

network-object Grandvision2 255.255.255.240

object-network Grandvision3 255.255.255.0

host of the object-Network GrandVision_PC

object-group service DM_INLINE_SERVICE_2

the purpose of the ip service

EQ-3389 tcp service object

the DM_INLINE_NETWORK_9 object-group network

network-object OracleThree 255.255.0.0

network-object OracleTwo 255.255.224.0

network-object OracleOne 255.255.240.0

object-group service DM_INLINE_SERVICE_3

the purpose of the ip service

EQ-3389 tcp service object

Atera tcp service object-group

Atera Webbased monitoring description

8001 8001 object-port Beach

8002 8002 object-port Beach

8003 8003 object-port Beach

WingFTP_UDP udp service object-group

port-object eq 989

port-object eq 990

WingFTP tcp service object-group

Description range of ports for the transmission of data

object-port range 1024-1054

HTTPS_redirected tcp service object-group

Description redirect WingFTP Server

port-object eq 40200

Note to inside_access_in to access list ICMP test protocol inside outside

inside_access_in list extended access allow icmp 192.168.72.0 255.255.255.0 any

Note to inside_access_in to access list ICMP test protocol inside outside

access-list inside_access_in note HTTP inside outside

inside_access_in list extended access allowed object-group TCPUDP 192.168.72.0 255.255.255.0 any eq www

access-list inside_access_in note queries DNS inside to outside

inside_access_in list extended access allowed object-group TCPUDP 192.168.72.0 255.255.255.0 no matter what eq field

access-list inside_access_in note the HTTPS protocol inside and outside

inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any https eq

Note to inside_access_in to access list ICMP test protocol inside outside

access-list inside_access_in note 7472 Epo-items inside outside

inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any eq 7472

access-list inside_access_in note POP3 inside outside

inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any eq pop3

inside_access_in list extended access permit udp host LifeSize-PE-HQ any object-group UDP - VC

inside_access_in list extended access permit tcp host LifeSize-PE-HQ all eq h323

access-list inside_access_in note video conference services

inside_access_in list extended access permit tcp host LifeSize-PE-HQ any object-group VC - TCP

inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any

Note to inside_access_in to access list Fortis

inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any object-group Fortis

access extensive list ip 192.168.40.0 inside_access_in allow 255.255.255.0 any

inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any

inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any eq www

inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any https eq

inside_access_in allowed all Hyperion 255.255.255.0 ip extended access list

inside_access_in list extended access udp allowed any any eq isakmp

inside_access_in list extended access udp allowed any any eq ntp

inside_access_in list extended access udp allowed any any eq 4500

inside_access_in list of allowed ip extended access any Oracle object-group

inside_access_in list extended access udp allowed any any eq 10000

access-list inside_access_in note PPTP inside outside

inside_access_in list extended access permit tcp any any eq pptp

access-list inside_access_in note WILL inside outside

inside_access_in list extended access will permit a full

Note to inside_access_in to access the Infrastructure of the RIM BES server list

inside_access_in list extended access permit tcp host BESServer any eq 3101

inside_access_in list extended access permit tcp any any DM_INLINE_TCP_2 object-group

inside_access_in list extended access permit tcp any any HTTPS_redirected object-group

access extensive list ip Hyperion 255.255.255.0 inside_access_in 255.255.255.0 allow VPN_Pool_2

inside_access_in list extended access permit udp any host 86.109.255.177 eq 1194

access extensive list ip 192.168.72.0 inside_access_in allow 255.255.255.0 DM_INLINE_NETWORK_7 object-group

access extensive list ip VPN_Pool_2 inside_access_in allow 255.255.255.0 any

inside_access_in list extended access deny ip any any inactive debug log

Note to outside_access_in to access list ICMP test protocol outside inside

outside_access_in list extended access permit icmp any one

access-list outside_access_in Note SMTP outside inside

outside_access_in list extended access permit tcp any any eq smtp

outside_access_in list extended access udp allowed any any eq ntp disable journal

access-list outside_access_in note 7472 EPO-items outside inside

outside_access_in list extended access permit tcp any any eq 7472

outside_access_in list extended access permit tcp any any object-group inactive RDP

outside_access_in list extended access permit tcp any any eq www

outside_access_in list extended access permit tcp any any HTTPS_redirected object-group

outside_access_in list extended access permitted tcp everything any https eq

access-list outside_access_in note hyperion outside inside

outside_access_in list extended access permitted tcp Hyperion 255.255.255.0 DM_INLINE_NETWORK_4 object-group

outside_access_in to access Hyperion 255.255.255.0 ip extended list object-group DM_INLINE_NETWORK_3 allow

outside_access_in list extended access permit tcp any host LifeSize-PE-HQ eq h323

outside_access_in list extended access permit tcp any host LifeSize-PE-HQ object-group VC - TCP

outside_access_in list extended access permit udp any host group-object-LifeSize-PE-HQ UDP - VC

outside_access_in of access allowed any ip an extended list

outside_access_in list extended access udp allowed any any eq 4500

outside_access_in list extended access udp allowed any any eq isakmp

outside_access_in list extended access udp allowed any any eq 10000

outside_access_in list extended access will permit a full

outside_access_in list extended access permit tcp any any eq pptp

outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group

outside_access_in list extended access allowed object-group ip DM_INLINE_NETWORK_8 192.168.72.0 255.255.255.0 inactive

outside_access_in list extended access permit tcp any any Atera object-group

outside_access_in list extended access deny ip any any inactive debug log

outside_1_cryptomap list extended access allowed object-group Hyperion DM_INLINE_NETWORK_2 255.255.255.0 ip

outside_1_cryptomap to access extended list ip 192.168.50.0 allow Hyperion 255.255.255.0 255.255.255.0

access extensive list ip 192.168.72.0 inside_nat0_outbound allow Hyperion 255.255.255.0 255.255.255.0

inside_nat0_outbound list of allowed ip extended access all 193.172.182.64 255.255.255.240

inside_nat0_outbound list of allowed ip extended access all 192.168.72.192 255.255.255.192

inside_nat0_outbound list of allowed ip extended access all 192.168.72.0 255.255.255.0

access extensive list ip 192.168.72.0 inside_nat0_outbound allow 255.255.255.0 VPN_Pool_2 255.255.255.0

access extensive list ip 192.168.72.0 inside_nat0_outbound allow 255.255.255.0 DM_INLINE_NETWORK_5 object-group

inside_nat0_outbound list of allowed ip extended access all GrandVisionSoesterberg 255.255.255.0

inside_nat0_outbound list of allowed ip extended access any Swabach 255.255.255.0

access-list 200 scope allow tcp all fortis of fortis host object-group

access extensive list ip VPN_Pool_2 outside_nat0_outbound allow 255.255.255.0 DM_INLINE_NETWORK_9 object-group

outside_cryptomap_2 list extended access allowed object-group Hyperion DM_INLINE_NETWORK_1 255.255.255.0 ip

outside_cryptomap_2 to access extended list ip 192.168.50.0 allow Hyperion 255.255.255.0 255.255.255.0

Note Wireless_access_in of access list, select Hyperion / wifi access NAT rule.

Access extensive list ip 192.168.40.0 Wireless_access_in allow Hyperion inactive 255.255.255.0 255.255.255.0

Wireless_access_in list extended access deny ip 192.168.40.0 255.255.255.0 192.168.72.0 255.255.255.0

Comment by Wireless_access_in-list of the traffic Internet access

Access extensive list ip 192.168.40.0 Wireless_access_in allow 255.255.255.0 any

standard access list splittunnelclientvpn allow 192.168.72.0 255.255.255.0

splittunnelclientvpn list standard access allowed Hyperion 255.255.255.0

standard access list splittunnelclientvpn allow Pearleshare 255.255.255.0

splittunnelclientvpn list standard access allowed host 85.17.235.22

splittunnelclientvpn list standard access allowed OracleThree 255.255.224.0

standard access list splittunnelclientvpn allow 143.47.128.0 255.255.240.0

splittunnelclientvpn list standard access allowed host inethost

Standard access list SplittnlHyperion allow OracleThree 255.255.0.0

Standard access list SplittnlOOD allow OracleThree 255.255.0.0

Standard access list SplittnlOOD allow 143.47.128.0 255.255.240.0

access extensive list ip 192.168.72.0 outside_cryptomap allow 255.255.255.0 DM_INLINE_NETWORK_6 object-group

outside_cryptomap_1 list of allowed ip extended access all GrandVisionSoesterberg 255.255.255.0

outside_cryptomap_3 list of allowed ip extended access any Swabach 255.255.255.0

192.168.72.0 IP Access-list extended sheep 255.255.255.0 GrandVisionSoesterberg 255.255.255.0 allow

192.168.72.0 IP Access-list extended sheep 255.255.255.0 VPN_Pool_2 255.255.255.0 allow

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

MTU 1500 dmz

MTU 1500 wireless

local pool VPN_DHCP 192.168.72.220 - 192.168.72.235 255.255.255.0 IP mask

mask 192.168.75.1 - 192.168.75.50 255.255.255.0 IP local pool VPN_Range_2

no failover

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ICMP allow all outside

ASDM image disk0: / asdm - 613.bin

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0 access-list sheep

NAT (inside) 1 0.0.0.0 0.0.0.0

NAT (wireless) 1 192.168.40.0 255.255.255.0

public static tcp (indoor, outdoor) interface smtp smtp Mailsrv_Pearle_Europe netmask 255.255.255.255

public static tcp (indoor, outdoor) interface ftp ftp netmask 255.255.255.255 Pearle-DC02

public static 990 Pearle-DC02 990 netmask 255.255.255.255 interface tcp (indoor, outdoor)

static (inside, outside) tcp 3389 3389 Mailsrv_Pearle_Europe netmask 255.255.255.255 interface

public static tcp (indoor, outdoor) interface www Pearle-DC02 www netmask 255.255.255.255

public static 40200 Pearle-DC02 40200 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static tcp (indoor, outdoor) interface https Exchange2010 https netmask 255.255.255.255

public static tcp (indoor, outdoor) interface h323 h323 LifeSize-PE-HQ netmask 255.255.255.255

public static 60000 60000 LifeSize-PE-HQ netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 60001 LifeSize-PE-HQ 60001 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 60002 LifeSize-PE-HQ 60002 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 60003 LifeSize-PE-HQ 60003 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 60004 LifeSize-PE-HQ 60004 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 60005 LifeSize-PE-HQ 60005 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 60006 LifeSize-PE-HQ 60006 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 60007 LifeSize-PE-HQ 60007 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 60008 LifeSize-PE-HQ 60008 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 60009 LifeSize-PE-HQ 60009 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static (inside, outside) udp interface 60001 LifeSize-PE-HQ 60001 netmask 255.255.255.255

public static (inside, outside) udp interface 60002 LifeSize-PE-HQ 60002 netmask 255.255.255.255

public static (inside, outside) udp interface 60003 LifeSize-PE-HQ 60003 netmask 255.255.255.255

public static (inside, outside) udp interface 60004 LifeSize-PE-HQ 60004 netmask 255.255.255.255

public static (inside, outside) udp interface 60005 LifeSize-PE-HQ 60005 netmask 255.255.255.255

public static (inside, outside) udp interface 60006 LifeSize-PE-HQ 60006 netmask 255.255.255.255

public static (inside, outside) udp interface 60007 LifeSize-PE-HQ 60007 netmask 255.255.255.255

public static (inside, outside) udp interface 60008 LifeSize-PE-HQ 60008 netmask 255.255.255.255

public static (inside, outside) udp interface 60009 LifeSize-PE-HQ 60009 netmask 255.255.255.255

public static (inside, outside) udp interface 60010 LifeSize-PE-HQ 60010 netmask 255.255.255.255

public static (inside, outside) udp interface 60011 LifeSize-PE-HQ 60011 netmask 255.255.255.255

public static (inside, outside) udp interface 60012 LifeSize-PE-HQ 60012 netmask 255.255.255.255

public static (inside, outside) udp interface 60013 LifeSize-PE-HQ 60013 netmask 255.255.255.255

public static (inside, outside) udp interface 60014 LifeSize-PE-HQ 60014 netmask 255.255.255.255

public static (inside, outside) udp interface 60015 LifeSize-PE-HQ 60015 netmask 255.255.255.255

public static (inside, outside) udp interface 60016 LifeSize-PE-HQ 60016 netmask 255.255.255.255

public static (inside, outside) udp interface 60017 LifeSize-PE-HQ 60017 netmask 255.255.255.255

public static (inside, outside) udp interface 60018 LifeSize-PE-HQ 60018 netmask 255.255.255.255

public static (inside, outside) udp interface 60019 LifeSize-PE-HQ 60019 netmask 255.255.255.255

public static (inside, outside) udp interface 60020 LifeSize-PE-HQ 60020 netmask 255.255.255.255

public static (inside, outside) udp interface 60021 60021 LifeSize-PE-HQ netmask 255.255.255.255

public static (inside, outside) udp interface 60022 LifeSize-PE-HQ 60022 netmask 255.255.255.255

public static (inside, outside) udp interface 60023 LifeSize-PE-HQ 60023 netmask 255.255.255.255

public static (inside, outside) udp interface 60024 LifeSize-PE-HQ 60024 netmask 255.255.255.255

public static (inside, outside) udp interface 60025 LifeSize-PE-HQ 60025 netmask 255.255.255.255

public static (inside, outside) udp interface 60026 LifeSize-PE-HQ 60026 netmask 255.255.255.255

public static (inside, outside) udp interface 60027 LifeSize-PE-HQ 60027 netmask 255.255.255.255

public static (inside, outside) udp interface 60028 LifeSize-PE-HQ 60028 netmask 255.255.255.255

public static (inside, outside) udp interface 60029 LifeSize-PE-HQ 60029 netmask 255.255.255.255

public static (inside, outside) udp interface 60030 LifeSize-PE-HQ 60030 netmask 255.255.255.255

public static (inside, outside) udp interface 60031 LifeSize-PE-HQ 60031 netmask 255.255.255.255

public static (inside, outside) udp interface 60032 LifeSize-PE-HQ 60032 netmask 255.255.255.255

public static (inside, outside) udp interface 60033 LifeSize-PE-HQ 60033 netmask 255.255.255.255

public static (inside, outside) udp interface 60034 LifeSize-PE-HQ 60034 netmask 255.255.255.255

public static (inside, outside) udp interface 60035 LifeSize-PE-HQ 60035 netmask 255.255.255.255

public static (inside, outside) udp interface 60036 LifeSize-PE-HQ 60036 netmask 255.255.255.255

public static (inside, outside) udp interface 60037 LifeSize-PE-HQ 60037 netmask 255.255.255.255

public static (inside, outside) udp interface 60038 LifeSize-PE-HQ 60038 netmask 255.255.255.255

public static (inside, outside) udp interface 60039 LifeSize-PE-HQ 60039 netmask 255.255.255.255

public static (inside, outside) udp interface 60040 60040 LifeSize-PE-HQ netmask 255.255.255.255

public static Mailsrv_Pearle_Europe 7472 netmask 255.255.255.255 7472 interface tcp (indoor, outdoor)

public static LanSweep-XP netmask 255.255.255.255 8001 8001 interface tcp (indoor, outdoor)

public static 8002 8002 LanSweep-XP netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static LanSweep-XP netmask 255.255.255.255 8003 8003 interface tcp (indoor, outdoor)

static (inside, outside) 193.173.12.194 tcp https Pearle-DC02 https netmask 255.255.255.255

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Access-group Wireless_access_in in wireless interface

Route outside 0.0.0.0 0.0.0.0 193.173.12.206 1

Route outside OracleThree 255.255.224.0 193.173.12.198 1

Route outside 143.47.128.0 255.255.240.0 193.173.12.198 1

Route inside 172.27.0.0 255.255.255.0 Pearle-DC02 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-registration DfltAccessPolicy

AAA authentication LOCAL telnet console

the ssh LOCAL console AAA authentication

Enable http server

http 192.168.40.0 255.255.255.0 Wireless

http 192.168.1.0 255.255.255.0 inside

http 192.168.72.0 255.255.255.0 inside

http GrandVisionSoesterberg 255.255.255.0 inside

SNMP-server host inside 192.168.33.29 survey community public version 2 c

location of Server SNMP Schiphol

contact Server SNMP SSmeekes

SNMP-Server Public community

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set esp-aes-256 GRANDVISION esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds

cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map

card crypto outside_map0 1 match address outside_cryptomap_1

outside_map0 card crypto 1jeu pfs

outside_map0 card crypto 1jeu peer 212.78.223.182

outside_map0 card crypto 1jeu transform-set ESP ESP-3DES-SHA-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-ESP ESP-3DES-MD5 MD5-DES-SHA ESP-DES-MD5

outside_map0 map 1 lifetime of security association set seconds 28800 crypto

card crypto outside_map0 1 set security-association life kilobytes 4608000

card crypto game 2 outside_map0 address outside_cryptomap_2

outside_map0 crypto map peer set 2 193.173.12.193

card crypto outside_map0 2 game of transformation-ESP ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5-DES-SHA ESP-DES-MD5

life card crypto outside_map0 2 set security-association seconds 28800

card crypto outside_map0 2 set security-association life kilobytes 4608000

card crypto outside_map0 3 match address outside_1_cryptomap

outside_map0 card crypto 3 set pfs

outside_map0 card crypto 3 peers set 193.172.182.66

outside_map0 crypto map 3 the value transform-set ESP-3DES-SHA

life card crypto outside_map0 3 set security-association seconds 28800

card crypto outside_map0 3 set security-association life kilobytes 4608000

card crypto outside_map0 game 4 address outside_cryptomap

outside_map0 card crypto 4 peers set 213.56.81.58

outside_map0 4 set transform-set GRANDVISION crypto card

life card crypto outside_map0 4 set security-association seconds 28800

card crypto outside_map0 4 set security-association life kilobytes 4608000

card crypto outside_map0 5 match address outside_cryptomap_3

outside_map0 card crypto 5 set pfs

outside_map0 crypto card 5 peers set 86.109.255.177

outside_map0 card crypto 5 game of transformation-ESP ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5-DES-SHA ESP-DES-MD5

life card crypto outside_map0 5 set security-association seconds 28800

card crypto outside_map0 5 set security-association life kilobytes 4608000

Crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

outside_map0 interface card crypto outside

crypto ISAKMP allow inside

crypto ISAKMP allow outside

crypto ISAKMP enable dmz

crypto ISAKMP enable wireless

crypto ISAKMP policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet 192.168.72.0 255.255.255.0 inside

Telnet timeout 5

SSH 192.168.72.0 255.255.255.0 inside

SSH GrandVisionSoesterberg 255.255.255.0 inside

SSH 213.144.239.0 255.255.255.192 outside

SSH timeout 5

Console timeout 0

management-access inside

dhcpd dns 194.151.228.18 is 10.10.1.100

dhcpd outside auto_config

!

dhcpd address 192.168.72.253 - 192.168.72.253 inside

!

dhcpd address dmz 192.168.50.10 - 192.168.50.50

dhcpd enable dmz

!

dhcpd address wireless 192.168.40.10 - 192.168.40.99

dhcpd dns 194.151.228.18 wireless interface

dhcpd activate wireless

!

a basic threat threat detection

host of statistical threat detection

statistical threat detection port

Statistical threat detection Protocol

Statistics-list of access threat detection

no statistical threat detection tcp-interception

Group Policy "pearle_vpn_Hyp only" internal

attributes of Group Policy "pearle_vpn_Hyp only".

value of server WINS 192.168.72.25

value of server DNS 192.168.72.25

Protocol-tunnel-VPN IPSec l2tp ipsec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list SplittnlHyperion

Split-dns value pearle.local

internal pearle_vpn_OOD_only group policy

attributes of the strategy of group pearle_vpn_OOD_only

value of Split-tunnel-network-list SplittnlOOD

internal pearle_vpn group policy

attributes of the strategy of group pearle_vpn

value of server WINS 192.168.72.25

value of server DNS 192.168.72.25

Protocol-tunnel-VPN IPSec l2tp ipsec svc

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list splittunnelclientvpn

Pearle.local value by default-field

Split-dns value pearle.local

username anyone password encrypted password

username something conferred

VPN-group-policy pearle_vpn_OOD_only

type of remote access service

tunnel-group 193 type ipsec-l2l

tunnel-group 193 ipsec-attributes

pre-shared-key *.

tunnel-group 193.173.12.193 type ipsec-l2l

IPSec-attributes tunnel-group 193.173.12.193

pre-shared-key *.

NOCHECK Peer-id-validate

type tunnel-group pearle_vpn remote access

tunnel-group pearle_vpn General-attributes

address pool VPN_Range_2

Group Policy - by default-pearle_vpn

pearle_vpn group of tunnel ipsec-attributes

pre-shared-key *.

type tunnel-group Pearle_VPN_2 remote access

attributes global-tunnel-group Pearle_VPN_2

address pool VPN_Range_2

strategy-group-by default "pearle_vpn_Hyp only".

IPSec-attributes tunnel-group Pearle_VPN_2

pre-shared-key *.

tunnel-group 213.56.81.58 type ipsec-l2l

IPSec-attributes tunnel-group 213.56.81.58

pre-shared-key *.

tunnel-group 212.78.223.182 type ipsec-l2l

IPSec-attributes tunnel-group 212.78.223.182

pre-shared-key *.

tunnel-group 86.109.255.177 type ipsec-l2l

IPSec-attributes tunnel-group 86.109.255.177

pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

inspect the pptp

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:7d4d9c7ca7c865d9e40f5d77ed1238eb

: end

ASDM image disk0: / asdm - 613.bin

ASDM BESServer 255.255.255.255 inside location

ASDM VPN_Pool_2 255.255.255.0 inside location

ASDM OracleTwo 255.255.224.0 inside location

ASDM OracleOne 255.255.240.0 inside location

ASDM OracleThree 255.255.224.0 inside location

ASDM location Exchange2010 255.255.255.255 inside

ASDM location Grandvision 255.255.255.0 inside

ASDM Grandvision2 255.255.255.240 inside location

ASDM Grandvision3 255.255.255.0 inside location

ASDM Grandvision4 255.255.255.255 inside location

ASDM GrandVision_PC 255.255.255.255 inside location

ASDM location LanSweep-XP 255.255.255.255 inside

ASDM GrandVisionSoesterberg 255.255.255.0 inside location

ASDM location Pearle-DC02 255.255.255.255 inside

ASDM location Pearle-WDS 255.255.255.255 inside

ASDM location Swabach 255.255.255.0 inside

ASDM GrandVisionSoesterberg2 255.255.255.0 inside location

don't allow no asdm history

Where is that host (inethost)? Inside of the ASA, or on the internet (on the outside)?

If it is outside, you must configure the NAT for the pool of vpn as you turn on the SAA.

NAT (outside) 1 192.168.75.0 255.255.255.0

Remote host IP SLA ping by tunnel VPN with NAT

Similar Questions

Maybe you are looking for