Twice NAT on Site at the tunnel with the same private networks.

Hello

Currently, I am trying to configure a Site to Site tunnel between an IOS router and an ASA 5505 running 9.1

When deprived of the IOS router subnet was 10.0.0.0/24 and the subnet private SAA was 172.16.1.0/24, it connected properly.

I'm now putting in place where the two private networks is 10.0.0.0/24 and objects network created, edited the ACL for interesting traffic and created the rule of NAT translation and twice, but the tunnels are not coming. I was hoping someone could shed some light on where I'm wrong.

There are route it (R1) IOS and ASA (F2). Between them is an Internet addresses asking the router which is just set up to allow both sides to achieve their WAN.

R1 and F2 have private network (10.0.0.0/24) need to communicate. Twice NAT can be done on the ASA to allow this, but I have to do something wrong. The way I understand it, is that the R1 should see traffic coming from 10.51.0.0/24 and send to this traffic. The ASA will have this traffic and the inside network should see it coming entering as 10.50.0.0/24. If F2's private network communicates with 10.50.0.0/24, and the private network R1 sends traffic to 10.51.0.0/24.

I turned on "Debug crypto ipsec" and "debug crypto isakmp" but no output is appear or give any indication that she is trying to establish anything.

Any help would be greatly appreciated! Thank you!

R1 #show run

version 12.4

hostname R1

crypto ISAKMP policy 50
BA 3des
preshared authentication
Group 2
address of cisco crypto isakmp 10.2.0.254 keys

Crypto ipsec transform-set esp-3des esp-sha-hmac L2L_SET

50 CRYPTO ipsec-isakmp crypto map
defined by peer 10.2.0.254
game of transformation-L2L_SET
match address CRYPTO

interface FastEthernet0/0
10.0.0.253 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
IP ospf message digest authentication
Cisco IP ospf authentication key
automatic duplex
automatic speed

interface FastEthernet0/1
IP 10.1.0.254 255.255.255.0
NAT outside IP
IP virtual-reassembly
IP ospf message digest authentication
Cisco IP ospf authentication key
automatic duplex
automatic speed
Crypto card CRYPTO

IP classless
IP route 0.0.0.0 0.0.0.0 10.1.0.253
IP route 10.2.0.0 255.255.255.0 10.1.0.253
!
!
IP http server
no ip http secure server
overload of IP nat inside source list SHEEP interface FastEthernet0/1
!
IP extended CRYPTO access list
Licensing ip 10.0.0.0 0.0.0.255 10.51.0.0 0.0.0.255
SHEEP extended IP access list
deny ip 10.0.0.0 0.0.0.255 10.51.0.0 0.0.0.255
allow an ip

=========================================================================

See the F2 # running
: Saved
:
ASA Version 9.1 (1)
!
hostname F2
activate 3a57ZsZ4Kgc.ZsL0 encrypted password
3a57ZsZ4Kgc.ZsL0 encrypted passwd
names of

interface Vlan1
nameif inside
security-level 100
IP 10.0.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 10.2.0.254 255.255.255.0

network of the PRIVATE object
10.0.0.0 subnet 255.255.255.0

network of the PARTNER_PRIVATE object
10.0.0.0 subnet 255.255.255.0
network of the PARTNER_VPN_INBOUND object
10.50.0.0 subnet 255.255.255.0
network of the PARTNER_VPN_OUTBOUND object
10.51.0.0 subnet 255.255.255.0

Access extensive list permits all ip a OUTSIDE_IN
CRYPTO extended access list ip 10.0.0.0 allow 255.255.255.0 10.50.0.0 255.255.255.0

NAT static (inside, outside) PARTNER_VPN_OUTBOUND PRIVATE destination static source PARTNER_PRIVATE PARTNER_VPN_INBOUND
!
network of the PRIVATE object
NAT dynamic interface (indoor, outdoor)
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 10.2.0.253 1
outdoor 10.1.0.0 255.255.255.0 10.2.0.253 1
the ssh LOCAL console AAA authentication

Crypto ipsec transform-set esp-3des esp-sha-hmac L2L_SET ikev1
Crypto ipsec pmtu aging infinite - the security association
crypto L2L_MAP 50 card matches the address CRYPTO
card crypto L2L_MAP 50 set peer 10.1.0.254
card crypto L2L_MAP 50 set transform-set L2L_SET ikev1
L2L_MAP interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 50
preshared authentication
3des encryption
sha hash
Group 2
life 86400

tunnel-group 10.1.0.254 type ipsec-l2l
IPSec-attributes tunnel-group 10.1.0.254
IKEv1 pre-shared-key *.

object network PRIVATE

    subnet 10.0.0.0 255.255.255.0
object network PARTNER_PRIVATE

    subnet 10.0.0.0 255.255.255.0

    object network PARTNER_VPN_INBOUND

    subnet 10.50.0.0 255.255.255.0

    object network PARTNER_VPN_OUTBOUND

    subnet 10.51.0.0 255.255.255.0
access-list OUTSIDE_IN extended permit ip any any

    access-list CRYPTO extended permit ip 10.0.0.0 255.255.255.0 10.50.0.0 255.255.255.0
nat (inside,outside) source static PRIVATE PARTNER_VPN_OUTBOUND destination static PARTNER_PRIVATE PARTNER_VPN_INBOUND

Here in nat rule u use subnet PARTNER_PRIVATE, which is the same as a local, so the devices never send this traffic to the ASA, cause they know that this subnet (10.0.0.0/24) is in their local subnet. Therefore, you must write the nat rule in this way (i.e. the change of objects Web places):

nat (inside,outside) source static PRIVATE PARTNER_VPN_OUTBOUND destination

static  PARTNER_VPN_INBOUND PARTNER_PRIVATE

So the hosts on the subnet behind ASA will see the hosts on the subnet behind SRI as 10.50.0.0/24 and trying to reach the subnet behind SRI, you must use the 10.50.0.x one-to-one wich addresses correspond to 10.0.0.x it.

In addition, your proxy-acl on asa must use post-nat addresses, which should look like this:

IP 10.51.0.0 allow CRYPTO access list 255.255.255.0 10.0.0.0 255.255.255.0

Tags: Cisco Security

Similar Questions

VPN client with overlapping of private networks?

I have a new client who needs to send us data occasionally, we normally install the Cisco VPN Client on their PC, but this client has the same private network, we.

I know, but it could be done with policy NAT on my 5510 ASA with a VPN site-to site, the customer does not want to change the address or network hardware. They have router cable with no VPN option, and they are unwilling to spend more money on this project.

Can this work if there is no overlapping of IP addresses?

Your ACL SHEEP overlaps the static NAT and SHEEP has priority over the static NAT strategy strategy, why it does not work.

Please kindly remove the following:

access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0

Several Tunnels with the same distance network & destination in cryptographic maps

This maybe a newbie question, but I don't have production systems and don't really have a way to test our properly. We have an ASA 5520 with several tunnels from site to site. We already have a tunnel with one of the remote networks in 10.100.90.14. We have this IP on a subnet configured as remote network and the destination address in the card encryption. We also exempt rules NAT in place for our local network with the 10.100.90.14 address as the destination.

We have another tunnel that must be built and who will have a different address peer, but that requires a large number of subnets and at least we'll have the same remote network/destination address in the map encryption and VPN tunnel that we already have in place.

Is this possible to do with a tunnel of site to another without a static or dynamic NAT to a different IP address?

I know, with physical networks, that it is impossible because of the static routes that are in place, but with the ipsec tunnels I'm not sure how it works, and as mentioned, I'm not able to test it.

Any guidance would be appreciated.

Bill

The acl crypto map defines interesting traffic. If you have the same destination IP address, IE. 10.100.90.14 then if the source IE. the IP address of the client on your network is identical for the two tunnels, then no, it won't work and you will need to make some sort of NAT for one of the tunnels.

Jon

VPN site to Site on the same subnet of addresses LAN - cannot communicate

Hello

I have the VPN tunnel between Site A and B which are both on the same local network.

Site A has a lan from 192.168.0.0/24 Interior and a demilitarized zone of 10.0.0.0/24

Site B has a lan from 192.168.0.0/24 Interior

I have the Setup vpn to communcaite the Site A DMZ with Site B on the inside.

The two tunnels are in place but I can't ping the other view and vice versa. Also in the DMZ when I ping the 192.168.0.0/24 range timesout ping, I guess that's because the ping is sent inside the line of A site. Also the DMZ is a secuity level 50 and inside the site lan security level 0.

Is it possible to make this work?

Thank you

John,

This could be a solution.

If they NAT their network to their Outside IP address this work, but a little bit different from a regular tunnel.

If they NAT their 192.168.0.0/24 entiner network IP address outside the box of Juniper, then get implemented and they will be able to send traffic and access to your network without problem. However, you will be able to send traffic (start) on their side, because their internal network behind the external IP address. If such translation is called PAT.

If you need full two-way communication through the tunnel you should ask them to translate their network in a one to one translation database so that they can get to you and you can view.

The other solution is to translate their network into your ASA. You can do the following:

192.168.200.0 static (outdoors, DMZ) 192.168.0.0 netmask 255.255.255.0

With these lines in place, the configuration of the tunnel will remain the same, no change is required. But when you need to access their network you must point the traffic to the 192.168.200.0/24, not the original 192.168.0.0/24 address.

So, in case you need to access their 192.168.0.10 your DMZ host, you should actually try to access the 192.168.200.10.

Why don't you give it a shot and let me know the results?

I can access both sites at the same time?

Dreamweaver has the possibility to open two websites at the same time?
Basically I have a CMS that is hosted on a server, which connects to my customer sites on other servers. I want to be able to open files on a server and change and also to edit files on a different server at the same time.
If it is not available in Dreamweaver, then I think it should be. I often need to copy the code to a page in a site to another page to different site. For the ability to have two windows open, each connected to a site server different Web would be valuable to me. By having separate windows, each can have its own connection to the server. I don't know how that would be easy, but I like it!
See you soon
Glynn

You can only connect to a single site at the same time. And you need to change the files locally, save & then upload to the remote server. As far as I KNOW, no unique FTP application is capable to connect to multiple servers at once. You might be able to do what you want with open DW and some additional 3rd client like Filezilla FTP, every time you connect to different servers.

Nancy O.

Multiple sites using the same instance of CF?
Hi Gang-
I have a client who has recently improved CF Pro to Enterprise and they use in a relatively simple way as an intranet. They would like to help me configure a second instance for the purpose of a staging server, but I noticed after they revealed they do not have the link of Enterprise Manager in their CF Admin screen.

They need to reinstall CF using the MultiServer installation version to be able to deploy a second instance of CF? Need to uninstall and reinstall? Ugh...

Can't they just create a second site under their web server, using a different port and you worry about the second instance of CF? Best practices for a moment, remember, they do not necessarily expand on this server, it is intended to be a staging server.

Any ideas on the best and fastest way to handle this?

Many thanks in advance,
Rich
Many questions, many answers. :-)

Yes, rich, they would need to install the version multiserver for you to see this Enterprise Manager option in the CF Admin. But no, they would not need to uninstall the server deployment (what you did) to add to the MultiServer deployment. They can coexist (although it is not something most would do in general).

The best news for you is that, Yes, they can indeed just set up a second site on their web server, and who also point to the deployment server CF one you have installed. It is, of course, assuming that they are running a web server that supports multiple sites. If it's Apache, you're good. If this is Windows, then as long as the Windows Server 2003 (or 2008 or Vista), you're good, too. (Just to be complete, for other readers, XP does not allow you run multiple sites at the same time.)

If during the installation of the CF tells you that there all sites on the web server with CF, you need do nothing again create site. It should be immediately able to run pages CF. If you said that it is in CF link to a site, then you will need run the server web Configurator again. You can do it manually, even after installation. See the CF Admin and Config docs to learn more about it, as well as on this issue. (I know many like to just run things and hope that the interface is pretty clear, but as this issue shows, for some things anyone installing CF will be well served by looking at this collection of Miss often.)

Hope that helps, Rich. It is not a RTFM response. :-) Suffice it to say that if you need more that what I said, it's in the manual. Yet, I am happy to answer follow up if I can.

Kodak ESPC310 + 0365 and Sony Vaio both on the same wireless network, Vaio says printer offline, so don't not printing - suggestions?

Kodak ESPC310 + 0365 and Sony Vaio, printing problem

Kodak ESPC310 + 0365 and Sony Vaio both on the same wireless network, Vaio says printer offline, so don't not printing - suggestions?

Hello

· What operating system do you use?

· Remember to proceed with changes in hardware or software on the computer before the show?

Follow these methods and check if that helps:

Method 1:

I suggest you run the fixit tool and check if it helps.

Problems printing and printing errors

http://support.Microsoft.com/mats/printing_problems/

Method 2:

Follow the steps in troubleshooting section and check if that helps.

Printer in Windows problems

http://Windows.Microsoft.com/en-us/Windows/help/printer-problems-in-Windows

See also:

http://Windows.Microsoft.com/en-us/Windows-Vista/troubleshoot-network-printer-problems

http://support.en.kodak.com/app/answers/detail/A_ID/19500/selected/true

http://support.en.kodak.com/app/answers/detail/A_ID/1329/selected/true

How can I connect my netbook to the printer on the same wireless network?

My home wireless network is well established and includes a wireless printer. I'm usin my HP netbook now and for the purposes of the internet, it is connected to the same wireless network. However, I can't the netbook to detect the wireless printer so that I can install it. Help, please. Thank you

It is often easier - especially with the HP printers - to launch the installation CD for the printer to the new computer and let the installation program find the printer for you. (But I forgot... your netbook is not a CD player.) You could try to copy the files from the printer installation CD - if you have a CD, a USB key and use it to install the printer.)

I support this. HP drivers to connect to printers more easily when you allow the installation of the driver detect the printer. I had several HP devices and their installation is smooth when I do that.

Two VPN tunnels on the same device with the same protected networks

There is a remote site that wants me to put in place two separate tunnels of VPN with the same internal IP at each end. FOR EXAMPLE

LAN = 10.212.170.201/32, 10.212.170.202/32

Remote network 192.168.0.0/24 =

I currently have a tunnel between the above:

End Point distance = 111.93.152.186

Local endpoint point = 198.205.115.252

Now, they want to set up a VPN for the same networks between:

End Point distance = 115.115.130.34

Local endpoint point = 198.205.115.252

It is my understanding that the Cisco ASA 5520 can do. The only way I've seen this done with Cisco hardware is to use two ASAs, but there may be a way to use the costs of road or some other tricks to make it happen.

I'm open to suggestions.

Is a backup?

In, specify endpoint remote second as a "backup" of the peer in the first virtual private network. Alone will be active at the time - but there are toggled if the VPN in first dies.

Economy twice during an action as the same file extension possible with Photoshop without overwriting the first backup?

Hello, first time submit a question to the Adobe communities.
I would like to be able to record twice during an action with the same file extension; How is that possible? I tried a number of methods such as: save a JPEG as a copy, renaming jpeg in jpg format, adding a line to underscore the SMALL Word after it, etc., and it keeps overwriting my first recording. I'm still not recording "in copy" feature when saving a jpeg file. Sometimes it does, sometimes it doesn't. I think that if this box is not grayed out on my second record I would be able to add the copy at the end of my file name that would create my second jpeg.
I need this is because when I save the little and the big jpeg for our company store, I would just create an action that saves as two different sizes and then closes the file to move to another. The site on what I download is Four51 and they take a reorganization of the files, so a single method, I tried was to save the second time into action as a png but it makes it transparent and I need a white Uni.
Tried to go into the options and disabling transparency PNG but that only works with quick export that will not register within an action (even abroad). It is a dilemma for some time, and my only way to work around it is to create the action doesn't follow: resize to 300 px wide > save as Jpeg > end of action. I play action and hit the command option I have change my size to 100 px wide for the thumbnail, then click on control shift s to record success and right arrow to add details and then save, order q, tab, space.
If it makes no sense to anyone, I would be grateful for your advice. The only thing I can think that I have not tried is to change my background from transparent to white and then create this action: command option I have 300 px wide > order s (jpeg) > command option I have 100 px wide > command shift s (png) > w command
I guess the only way to change your default background to white instead of transparent is to create a new document and put in place without transparent background then go further, my new documents will have white backgrounds. Do not see under my preferences?
Thank you

Something like the following action could work.

A couple of notes:

Image adjustment is under file > Automate > Fit Image and resizes the image to fit the specified size.

For example, if you enter 300 in the two fields, photoshop resizes the longer side at 300 and the other dimension including the size proportionally as when you use Image > Image size to maintain Proportions checked.

Photoshop uses the copy to JPEG files if the image of your savings has one or more layers or is not 8-bit/channel, because do not support JPEGs of layers or say 16 bits/channel.

If you have only a background layer, then photoshop uses a copy when saving a jpeg file

Thus, during the recording of the action you probably want that one-step flatten so save the first does not include copy in the name.

To get the action record adding copy to name, open any image, add a layer, and then record save as jpeg for copy adds the jpeg save as step

Created the snapshot of the original image open, so the second resizing using the original instead of resizing the image already resized.

How can I get rid of this by-side split screen, where it displays two sites at the same time, covering the major part of one of them to the top?

Right now, I look at my screen and this mozilla site occupies the right hand of 75% of the screen. On the left hand 25% of my screen, I see a part of the site of scholarship that I want to see and I can't close the window on the right side of the screen without stopping completely from Mozilla. I know this has something to do with the settings, because it happened when I was messing around with the settings but I can't reverse the trend of tha. Thank you!!!

Opening in the sidebar is the default value for the bookmarks created via a link or a button on a Web site.
You can view the properties of a bookmark using the context menu in the side bar (Ctrl + B; Command + B on Mac).
In the Bookmark Manager (Bookmarks > show all bookmarks) you can click on the button more in the lower details pane on the right.
Make sure "Load this bookmark in the sidebar" is not selected.

How can I view 2 sites at the same time (using the ms ms ctrl button to split the screen)

I can't open a second secession of ff if I can use the split screen feature offered by windows. I want to see 2 things at the same time I cannot compare etc.

Try this: https://addons.mozilla.org/en-US/firefox/addon/fox-splitter/?src=ss

Alternatively, open a second window of Firefox (Firefox button > new tab > new window or Ctrl + N), the second loading site, resize the windows side by side.

If this answer solved your problem, please click 'Solved It' next to this response when connected to the forum.

Not related to your question, but...

You may need to update some plug-ins. Check your plug-ins and update if necessary:
- Plugin check-> http://www.mozilla.org/en-US/plugincheck/
- Adobe Shockwave for Director Netscape plug-in: install (or update) the Shockwave with Firefox plugin
- Adobe PDF plug-in for Firefox and Netscape: Installation/update Adobe Reader in Firefox
- Shockwave Flash (Adobe Flash or Flash): updated Flash in Firefox
- Next-generation Java plug-in for the Mozilla browser: install or update Java in Firefox

Firefox open multiple tabs of the same site at the same time, why

some site that I visit - when I try to use yahoo or facebook, messaging - multiple tabs of the same pop up and open and bring me to this last open tab - never let me finish what I'm doing. Why is this happening?

I had this problem (when I opened Firefox, Facebook kept several tabs open, even when I was on other sites such as Google).

After you restart Firefox with modules disabled (via the Help menu Firefox), I enabled first of all Plugins, then the Extensions, on-to-one.

The problem is back only when I activated Facebook Toolbar 1.7.3 and disappeared when I disabled it again.

This extension has been updated on 3 August 2011, which is probably when the problem started to appear (worse gradually). The extension tries to integrate some utilities of Facebook with the browser, but it's something that I can easily live. If you are having similar problems, try disabling Facebook Toolbar 1.7.3

How to display two open sites at the same time on the screen instead of switch between tabs?

I need to open two different sites using Firefox. They appear as tabs, but I can only show a tab at a time and have continually switch back. I need to have two separate sites open and displayed simultaneously on the screen. Is there a way to do this or an add-on that will support multiple windows open on the screen?

You can open all pages in separate windows and resize and position windows horizontally or vertically to the two visible at the same time.

Note that you can drag a tab slightly downwards in the navigation window to tear off the tab, or use the context menu of the tab (transition to the new window).

Delete the old site, keep the same url of the new site.

I am new to Adobe Muse, and when I'm confused, I'm HEAVILY confused.
Been looking for this topic but could not find a clear answer.
I gave my business site a complete overhaul, so I have two projects on Muse. However, I would like to delete the old site and download the new site. Is there a way to keep the same URL?
Thank you!

Use the credentials of your first site when downloading a new. When you upload your site, click "Switch account" top-right in the window "Upload to FTP Host.

Twice NAT on Site at the tunnel with the same private networks.

Similar Questions

Maybe you are looking for