Static NAT with the road map for excluding the VPN

We have problems of access to certain IPs NATted static via a VPN. After some research, we have learned that you have to exclude traffic destined for the VPN to the static NAT using a road map. So we did this:

10.1.1.x is the VPN IP pool.

access-list 130 refuse ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 allow ip 192.168.1.0 0.0.0.255 any

sheep allowed 10 route map
corresponds to the IP 130

IP nat inside source static 192.168.1.5 1.1.1.1 sheep map route

Above worked to fix the VPN but the IP 192.168.1.5 is no longer publicly available via 1.1.1.1. What seems to happen, is that the static NAT is not really work and this IP address is NATted with the IP of PAT.

Any ideas on how to get this to work?

Thank you
Diego

Hello

The following example details exactly your case:

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml

Try to replace the 192.168.1.0 subnet by the host address.

It should work

HTH

Laurent.

Tags: Cisco Security

Similar Questions

2 static NAT on the same Interface

I have an ASA 5510 (8.2 (5)) and I'm trying to set up a VPN site-to site of one of our suppliers. The problem I am running into is that they want me NAT one specific to one of our servers private IP, and this server already has a static NAT from the outside of a demilitarized zone. It's the current rule NAT:

static (DMZ1, external) 65.43.x.x 10.0.0.3 netmask 255.255.255.255

and they want card me 172.28.9.42 on the same server, so I tried to add:

(DMZ1, external) 172.28.9.42 static 10.0.0.3 netmask 255.255.255.255

but can not because it's a double translation.

Any help would be greatly appreciated.

Hello

It seems to me you must configure a static NAT to politics

Configurations would be as follows

DMZ-POLICY-NAT of ip 10.0.0.3 host allowed access list

(DMZ1, external) 172.28.9.42 static access-list DMZ-POLICY-NAT

Regarding configurations
- Name of the ACL can be naturally you want
- Destination network can be a single host if necessary IP address
- You should be able to configure multiple lines if necessary
Note that you need to have this NAT configuration before the real public IP address command static NAT. You need to remove the existing static NAT to configure the above and add the original.

This is because if you do not configure static NAT of politics first in the configuration, all traffic will keep hitting the normal rule of the static NAT for the public IP address.

-Jouni

Next hop for the static route on the VPN site to site ASA?

Hi all

I would be grateful if someone could help me with my problem ASA/misunderstanding. I have a VPN site-to site on a SAA. I want to add a floating static route to point to the VPN on the ASA. Note that the traffic in this way is not with in subnets cryptographic ACL that is used to bring up the VPN. This VPN is used only as a backup.

The static route with the next hop add local public address or the remote public address of the VPN? The next break maybe local ASA isp internet facing interface? I intend to do on the ASDM. I'm sorry if it's a simple question but I found no material that explains this?

Concerning

Ahh, ok, makes sense.

The next hop should be the next jump to the interface that ends the VPN connection, essentially the same as your Internet connection / outside the next hop interface.

Example of topology:

Site B (outside interface - 1.1.1.1) - (next hop: 1.1.1.2) Internet

The static route must tell:

outdoor 10.2.2.2 255.255.255.255 1.1.1.2 200

I hope this helps.

PIX 515E (7.0.1) - problem with the VPN connection between inside and outside

Hello

I ve creates a VLAN on the pix.

In this VLAN, users are allowed to connect only to the Internet. Everything is fine, but when trying to connect with his VPN Client to their company, it has problems... (Outside traffic flow, but no traffic came back.)

Is the only solution for this problem to create a Pool of Nat with public ip addresses, one to one mapping, or is there another solution with a public IP address (NAT on PAT) possible for this problem?

Thanks for your replies.

D.

The problem is that the esp is an IP Protocol, so PAT will not work in this scenario. When the return traffic returns to pix he doesn't know how to get to the inside host. The only way to do this is by adding a static nat (1 to 1 mapping) and create a rule to allow esp. Is what type of vpn client? Microsoft vpn? Cisco vpn? If cisco VPN, perhaps, they can use NAT - T on the vpn that overcomes the question PAT by encapsulating ipsec within UDP packets. You need to talk to the admin VPN and itself it allow.

-kevin

Split of static traffic between the VPN and NAT

Hi all

We have a VPN from Site to Site that secures all traffic to and from 10.160.8.0/24 to/from 10.0.0.0/8. It's for everything - including Internet traffic. However, there is one exception (of course)...

The part that I can't make it work is if traffic comes from the VPN (10.0.0.0/8) of 10.160.8.5 (on 80 or 443), then the return traffic must go back through the VPN. BUT, if traffic 80 or 443 comes from anywhere else (Internet via X.X.X.X which translates to 10.160.8.5), so there need to be translated réécrirait Internet via Gig2.

I have the following Setup (tried to have just the neccessarry lines)...

interface GigabitEthernet2

address IP Y.Y.Y.Y 255.255.255.0! the X.X.X.X and Y.Y.Y.Y are in the same subnet

address IP X.X.X.X 255.255.255.0 secondary

NAT outside IP

card crypto ipsec-map-S2S

interface GigabitEthernet4.2020

Description 2020

encapsulation dot1Q 2020

IP 10.160.8.1 255.255.255.0

IP nat inside

IP virtual-reassembly

IP nat inside source list interface NAT-output GigabitEthernet2 overload

IP nat inside source static tcp 10.160.8.5 80 80 X.X.X.X map route No. - NAT extensible

IP nat inside source static tcp 10.160.8.5 443 443 X.X.X.X map route No. - NAT extensible

NAT-outgoing extended IP access list

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

permit tcp host 10.160.8.5 all eq www

permit tcp host 10.160.8.5 any eq 443

No. - NAT extended IP access list

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

allow an ip

route No. - NAT allowed 10 map

corresponds to the IP no. - NAT

With the above configuration, we can get to the Internet 10.160.8.5, but cannot cross it over the VPN tunnel (from 10.200.0.0/16). If I remove the two commands «ip nat inside source static...» ', then the opposite that happens - I can get then to 10.160.8.5 it VPN tunnel but I now can't get to it from the Internet.

How can I get both? It seems that when I hit the first NAT instruction (overload Gig2) that 'decline' in the list of ACL-NAT-outgoing punts me out of this statement of NAT. It can process the following statement of NAT (one of the 'ip nat inside source static... ") but does not seem to"deny"it in the NON - NAT ACL me punt out of this statement of NAT. That's my theory anyway (maybe something is happening?)

If this work like that or I understand something correctly? It's on a router Cisco's Cloud Services (CSR 1000v).

Thank you!

Your netmask is bad for your 10.0.0.0/8. I worry not about the port/protocol or since that can screw you up. A better way to do it would be to deny all IP vpn traffic.

NAT-outgoing extended IP access list

deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

...

No. - NAT extended IP access list

deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

allow an ip

Doc:

Router to router IPSec with NAT and Cisco Secure VPN Client overload

Thank you

Brendan

Cisco IOS - how config static nat to NAT on the VPN

Hello world

I need help.

I configured a VPN site-to site between two routers IOS. One of the routers already had a static NAT (172.16.100.1 inside to the public IP address), but this static NAT prevents remote VPN hosts access to the 172.16.100.1 home as it tries to the response to public IP NAT router configured.

Does anyone know how to use static NAT for the inside to the outside, but don't not NAT inside to outside VPN traffic?

I know how to make using a roadmap for "overload" dynamic NAT, but I can't? t see how you can use a roadmap on the static NAT statement.

You can provide any help would be appreciated.

Chris

Hi Chris

Take a look at the document atatched with gives a few examples of the very thing you are trying to do.

http://www.Cisco.com/en/us/products/SW/iosswrel/ps1839/products_feature_guide09186a0080087bac.html

HTH

Jon

static reference with the global variable

Hi, I used a static reference to a Subvi where I change a global variable before (3-4 years ago) and do not remember how I did it.

It was something like these attachments, but now I'm using LabView 2013 instead of LV 8.6.

The change in the overall operating system sees only not in the main vi (looks like the invoke node run vi does not work with globals).

In addition the vi close with the invoke node close vi but not if I put the custom in the Subvi properties to automatically close.

dkfire wrote:

Why not call the sub vi as usual, just with the setting to display the front panel, when it is called?

Use the connector pane to transfer the value of the sub vi Ok button when done.

That's what I recommend. If this is not possible for some reason, then you will need to use a flat Structure of the sequence to force the reading of the global variable after the Subvi is complete.

Static NAT with asa 5520

Hi all

I have the following situation

The following rules of the static nat

static (inside, outside) tcp 200.200.200.200 80 10.0.0.200 80 netmask 255.255.255.255

static (inside, outside) 200.200.200.200 tcp 8080 10.0.0.200 80 netmask 255.255.255.255

I would redirect all packets destined for port 8080 and 80 IP address 200.200.200.200,

to the private IP address on port 80 10.0.0.200.

I tried to do that the ASA said there is already a rule, there is a way it be done?

Kind regards.

I don't think you can use port forwarding using the same local destination IP on port 80 in this way, fw will give you duplicate static entries.

You can however get around and give 10.0.0.200 NIC a secondary IP address i.e. 10.0.0.201 and make electricity as follows.

static (inside, outside) tcp 200.200.200.200 www 8080 10.0.0.201 netmask 255.255.255.255

static (inside, outside) tcp 200.200.200.200 80 10.0.0.200 80 netmask 255.255.255.255

See examples of port forwarding

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

concerning

Problem with the VPN and NAT configuration

Hi all

I have a VPN tunnel and NATing participates at the remote site.

I have the VPN tunnel from the absolutely perfect traffic from users, but I am struggling to manage the device via SNMP through the VPN tunnel.

Remote subnet is 192.168.10.0/24

That subnet gets PAT'd to 192.168.4.254/32

The subnet to HQ is 10.0.16.0/24

IP address of the ASA remote is 192.168.10.10

Of course, as this subnet is NAT would have I created a static NAT so that the 192.168.4.253 translates 192.168.10.10.

I can see that packets destined to the 192.168.4.253 device address comes to the end of the tunnel as long as the number of packets decrypted increases when you run a continuous ping to the device.

However, the unit will not return these packages. The wristwatch that 0 packets encrypted.

Please let me know if you need more information, or the output of the configuration complete.

When I start a capture on the ASA remote, I don't see ICMP packets to reach the ASA REAL ip (192.168.10.10). Maybe I set my NAT evil?

Also, there is no Interface inside, only an Interface outside. And the default route points to the next router ISP Hop on the external Interface.

Hope that all of the senses.

Thank you

Mario Rosa

No, unfortunately you can not NAT the ASA outside the IP of the interface itself.

NAT on the VPN traffic

Hello everyone, I need help in a vpn configuration, this is the problem that I need nat all vpn traffic because I net to put into place a vpn but I already have another vpn with the same network, so that overlap with the new one, then how I can nat overlaps all traffic to another network in order to avoid the network?.

Please I really need help

Thank you

You say that the 192.168.1.100 is able to go through the tunnel and the internet now?

Try to add another...

IP nat inside source static 192.168.1.101 10.10.44.101 map route VPN

for example.

Federico.

I have a problem with the VPN work is not on the computer.

Hello, I have a VPN from windows running between two computers running Windows 7. Recently it has stopped working, I can always correctly connect to the VPN and ping ip VPN but my mapped drives now say

"An error occurred when connecting Z: to."
\\blahblah\blah
Microsoft Windows network: The network path was not found.

This connection has not been restored. "

There is no firewall or antivirus running, and I even resorted to a point of restoration a few days ago, when the network was working.

Original title: VPN doesn't work anymore

Hi Justin,

I would have you post your query in the TechNet Forums because it caters to an audience of it professionals.

Your question would be more out there.

Check out the link-

http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/threads

Back to us for any issues related to Windows in the future. We will be happy to help you.

Thank you.

Problem with the VPN site to site for the two cisco asa 5505

Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.

Cisco Config asa1

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 172.xxx.xx.4 255.255.240.0
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.60.2 255.255.255.0
!
passive FTP mode
network of the Lan_Outside object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
network of the Lan_Outside object
NAT (inside, outside) interface dynamic dns
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.60.0 255.255.255.0 inside
http 96.xx.xx.222 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 96.88.75.222
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
inside access management

dhcpd address 192.168.60.50 - 192.168.60.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_96.xx.xx.222 group strategy
attributes of Group Policy GroupPolicy_96.xx.xx.222
VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 96.xx.xx.222 type ipsec-l2l
tunnel-group 96.xx.xx.222 General-attributes
Group - default policy - GroupPolicy_96.xx.xx.222
96.XX.XX.222 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Cisco ASA 2 config

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 96.xx.xx.222 255.255.255.248
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the Lan_Outside object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_4
ip protocol object
icmp protocol object
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
!
network of the Lan_Outside object
dynamic NAT (all, outside) interface
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.xxx.xx.4 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 172.110.74.4
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0

dhcpd address 192.168.1.50 - 192.168.1.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_172.xxx.xx.4 group strategy
attributes of Group Policy GroupPolicy_172.xxx.xx.4
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 172.xxx.xx.4 type ipsec-l2l
tunnel-group 172.xxx.xx.4 General-attributes
Group - default policy - GroupPolicy_172.xxx.xx.4
172.xxx.XX.4 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the http

For IKEv2 configuration: (example config, you can change to encryption, group,...)

-You must add the declaration of exemption nat (see previous answer).

-set your encryption domain ACLs:

access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip

-Set the Phase 1:

Crypto ikev2 allow outside
IKEv2 crypto policy 10
3des encryption
the sha md5 integrity
Group 5
FRP sha
second life 86400

-Set the Phase 2:

Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
Esp aes encryption protocol
Esp integrity sha-1 protocol

-set the Group of tunnel

tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
IKEv2 authentication remote pre-shared-key cisco123

IKEv2 authentication local pre-shared-key cisco123

-Define the encryption card

address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
CRYPTOMAP interface card crypto outside
crypto isakmp identity address

On your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)

Thank you

Site to site VPN with the VPN Client for both sites access?

Current situation:

Scenario is remote to the main office. Site IPSEC tunnel site (netscreen) remote in hand (506th pix). Cisco VPN Client of main office of remote access to users.

It's that everything works perfectly.

Problem:

Now we want remote users who connect to the seat to also be able to access resources in the remote offices.

This seems like it would be easy to implement, but I can't understand it.

Thanks in advance.

Rollo

----------

#10.10.10.0 = Network1

#10.10.11.0 = Network2

#172.16.1.0 = vpn pool

6.3 (4) version PIX

access-list 101 permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0

splitTunnel 10.10.10.0 ip access list allow 255.255.255.0 any

splitTunnel ip 10.10.11.0 access list allow 255.255.255.0 any

access-list 115 permit ip any 172.16.1.0 255.255.255.0

access-list 116 allow ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0

IP access-list 116 allow all 10.10.11.0 255.255.255.0

access-list 116 allow ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.0

ICMP allow all outside

ICMP allow any inside

Outside 1500 MTU

Within 1500 MTU

IP address outside 209.x.x.x 255.255.255.224

IP address inside 10.10.10.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

IP local pool 172.16.1.0 vpnpool - 172.16.1.50

Global 1 interface (outside)

Global (outside) 10 209.x.x.x 255.255.255.224

(Inside) NAT 0-list of access 101

NAT (inside) 10 10.10.10.0 255.255.255.0 0 0

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 209.x.x.x 1

Timeout xlate 01:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

enable floodguard

Permitted connection ipsec sysopt

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

crypto dynamic-map Clients_VPN-dynmap 10 transform-set RIGHT

35 Myset1 ipsec-isakmp crypto map

correspondence address 35 Myset1 map cryptographic 116

card crypto Myset1 35 counterpart set x.x.x.x

card crypto Myset1 35 set transform-set Myset1

Myset1 card crypto ipsec 90-isakmp dynamic dynmap Clients_VPN

client configuration address card crypto Myset1 launch

client configuration address card crypto Myset1 answer

interface Myset1 card crypto outside

ISAKMP allows outside

ISAKMP key * address x.x.x.x 255.255.255.255 netmask No.-xauth-no-config-mode

ISAKMP identity address

ISAKMP nat-traversal 20

part of pre authentication ISAKMP policy 15

ISAKMP policy 15 3des encryption

ISAKMP policy 15 sha hash

15 1 ISAKMP policy group

ISAKMP duration strategy of life 15 28800

part of pre authentication ISAKMP policy 20

ISAKMP policy 20 3des encryption

ISAKMP policy 20 chopping sha

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 3600

part of pre authentication ISAKMP policy 25

encryption of ISAKMP policy 25

ISAKMP policy 25 md5 hash

25 2 ISAKMP policy group

ISAKMP living 25 3600 duration strategy

part of pre authentication ISAKMP policy 30

ISAKMP policy 30 aes-256 encryption

ISAKMP policy 30 sha hash

30 2 ISAKMP policy group

ISAKMP duration strategy of life 30 86400

vpngroup address vpnpool pool mygroup

vpngroup dns-server dns1 dns2 mygroup

vpngroup mygroup wins1 wins2 wins server

vpngroup mygroup by default-domain mydomain

vpngroup split splitTunnel tunnel mygroup

vpngroup idle time 64000 mygroup

mygroup vpngroup password *.

Telnet timeout 5

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd outside auto_config

Hi Rollo,

You can not be implemented for a simple reason, it is not supported on the version 6.x PIX. It relies on the PIX 7.x worm but 7.x is not supported on PIX 506. Thus, in a Word, it can be reached on a PIX 506. If you have an ASA, a PIX 515 running 7.x, a router or a hub as well, it can be reached.

HTH,

Please rate if this helps,

Kind regards

Kamal

Static record with the default port no

Is not is it possible to have static recording of data base with a listener running on a port no by default.
If so, how? How to start a static listener for the database running

If you use static registration then you have no need to use the LOCAL_LISTENER parameter is required for dynamic registration.

Example with Oracle XE:

Listener.ora:

LISTENER1=
(DESCRIPTION =
  (ADDRESS_LIST=
     (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1522))
  )
)

SID_LIST_LISTENER1=
(SID_LIST=
 (SID_DESC=
  (SID_NAME=XE)
  (ORACLE_HOME=C:\oraclexe\app\oracle\product\11.2.0\server)
 )
)

tnsnames.ora


XE2 =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1522))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = XE)
    )
  )

and:

C:\>lsnrctl start listener1

LSNRCTL for 32-bit Windows: Version 11.2.0.2.0 - Production on 13-OCT. -2011 12:07:05

Copyright (c) 1991, 2010, Oracle.  All rights reserved.

Starting tnslsnr: please wait...

TNSLSNR for 32-bit Windows: Version 11.2.0.2.0 - Production
System parameter file is C:\oraclexe\app\oracle\product\11.2.0\server\network\admin\listener.ora
Log messages written to C:\oraclexe\app\oracle\diag\tnslsnr\xxx\listener1\alert\log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=1522)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1522)))
STATUS of the LISTENER
------------------------
Alias                     listener1
Version                   TNSLSNR for 32-bit Windows: Version 11.2.0.2.0 - Production
Start Date                13-OCT. -2011 12:07:09
Uptime                    0 days 0 hr. 0 min. 3 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   C:\oraclexe\app\oracle\product\11.2.0\server\network\admin\listener.ora
Listener Log File         C:\oraclexe\app\oracle\diag\tnslsnr\xxx\listener1\alert\log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=1522)))
Services Summary...
Service "XE" has 1 instance(s).
  Instance "XE", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully

C:\>tnsping XE2

TNS Ping Utility for 32-bit Windows: Version 11.2.0.2.0 - Production on 13-OCT. -2011 12:07:18

Copyright (c) 1997, 2010, Oracle.  All rights reserved.

Used parameter files:
C:\oraclexe\app\oracle\product\11.2.0\server\network\admin\sqlnet.ora

Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1522)) (CONNECT_DATA = (SERVER = DEDICATED
) (SERVICE_NAME = XE)))
OK (30 msec)

C:\>sqlplus system/xxx@XE2

SQL*Plus: Release 11.2.0.2.0 Production on Jeu. Oct. 13 12:07:27 2011

Copyright (c) 1982, 2010, Oracle.  All rights reserved.

Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - Production

SQL> show parameter local_li

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
local_listener                       string
SQL> exit
Disconnected from Oracle Database 11g Express Edition Release 11.2.0.2.0 - Production

I can NAT before the VPN Tunnel?

Hello

I want to add servers in a configuration in ipsec tunnel site to another for transportation.

However, I have to NAT these machines for the presentation of the other side.

For a Cisco 1760 (vpn termination point) running on 12.3 code, is it possible?

If it's possible, could I get a link to a config? Or maybe an excerpt here?

We use two interfaces ethernet for this:

Ethernet1/0 is inside

ethernet0/0 is outside

Can't seem to find any documentation for it.

Thank you

Paul

It is "NAT order of operation" used by Cisco devices, it seems that NAT is anyway before the crypto control

http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Concerning

Farrukh

Static NAT with the road map for excluding the VPN

Similar Questions

Maybe you are looking for