VPN and overlapping address spaces
I'm trying to setup a VPN to allow a business parter access our network. The problem is that the partners use the same private address space as we do.
I'm trying to understand how the NAT address translation is internal to a different address as the packet out of the VPN tunnel.
There is a Visio Doc attached that shows THEM and 'US'. The side "THEM" doesn't use real IPs, I made this drawing because I'm an example put in place in a lab environment, so I took random numbers for IP addresses 'THEM '.
The PC (s) of the partner must have access to two PC on my side. I got it working until the VPN tunnel appears between the two PIX501s and translated the destination address IP in a private IP address, but need help to translate the remote source IPs in private IPs.
Here are a few exits of the PIX on the 'US' (my side).
ICMP echo request incoming (len 32 id 2 seq 44033) 10.150.100.100 > 216.x.x.x > 10.220.2.10
The source of the packet is sent to the address 216.x.x.x and then translated to its internal address of the 10.220.2.10. I need to translate the 10.150.100.100 address to something else, so he isn't wasting my network. Ideas? I'm a n00b PIX. Thanks in advance.
Hello
Sorry I don't have Visio on my PC at home but if you want to translate the source IP address of incoming packets for example. translate 10.150.100.100 to 192.168.5.10
public static 192.168.5.10 (exterior, Interior) 10.150.100.100 netmask 255.255.255.255
If you have a source address pool you could do
NAT (outside) 3 10.150.100.0 255.255.255.0 outside
Global (inside) 3 192.168.5.10
HTH
Jon
Tags: Cisco Security
Similar Questions
-
We already have a connectivity of IPSEC VPN site to site with a 3rd party.
They must be able to access a couple of servers on our internal network but the problem, it's the subnet these servers are hosted on clashes with the address space they already used elsewhere. Thus, they asked if we can put in place a new subnet and have our firewall (running v7.2) ASA NAT the traffic to and from our servers ' real' internal addresses.
for example
- 3rd party 10.10.10.0/24 subnet
- Our subnet 10.20.20.0/24 (but this clashes with the 3rd part of the address elsewhwere space)
- Our 'real' internal server addresses are 10.20.20.1 and 10.20.20.2
How do we setup NAT on our ASA translating internal addresses 'real' of these servers for some other addresses that don't clash?
that is that the 3rd party is concerned, they would simply have to communicate with this 'new' subnet, say, 192.168.20.0/24 and our ASA firewall NAT traffic accordingly to allow some comms unfold?
(And it should affect only comms on these servers for the 3rd party - NOT for one of our other multiple VPN connections! "And should not affect the other comms from the servers themselves!).
That's what I've tried so far, for one of the servers, without success:
On ASA:
!
access-list 1 permit line 3rdpartysite extended ip host 192.168.20.1 10.10.10.0 255.255.255.0
!
access-list SERVER-NAT line 1 permit extended ip host 10.20.20.1 10.10.10.0 255.255.255.0
!
static (inside, outside) 192.168.20.1 public - access NAT SERVER list"sh xlate" indicates:
192.168.20.1 global local 10.20.20.1
Can someone help with the necessary NAT configurations on the ASA?
Thank you!
'Clear xlate' after you have configured NAT statements?
When you try to ping from the 10.20.20.1, get it to the ASA? You have an ACL on this interface that would block the ping? Also, can you run capture packets on the ASA to see if the ASA receives even the traffic?
What is the subnet mask of the 10.20.20.1 host? I guess it's 255.255.255.0?
You don't need something specific on the ASA with regard to the delivery of the 192.168.20.1.
-
In the last two days, I started to get the foreign language characters randomly at the top of my screen, both the line of tabs and the address bar. At the same time, the tabs at the top overlap and are difficult to discern.
Any ideas why and how to fix? Can send a screenshot of the problem, if it helps.The extension of McAfee SiteAdvisor has been reported to ask this question, so you can disable this extension for this control.
- How to uninstall SiteAdvisor:
http://service.McAfee.com/faqdocument.aspx?ID=TS100162
- How to uninstall SiteAdvisor:
-
Update my windows xp to 64-bit increases the allowed for the ram address space?
I have Windows XP 32-bit... If I have upgraded to Windows XP 64 bit will it allows me a greater address space for my ram? I already know that the programs that I use currently will support 64 bit. My motherboard will support it as well. Like I'm looking for a solution to my problems on this model of game play. It serves to support my game very well, but since the processor over heated (replaced fan) and replaced the graphics card, ram replaced... my gaming experience is still not was.
It would if you could... but you probably can't.
On the one hand, it is not only your programs or your motherboard. You must change your CPU as well. Is there any other hardware and device drivers. And, of course, there is the small problem that Windows XP 64-bit is no longer available from Microsoft (you can find online, but it is not cheap and may or may not be 'authentic').
-
My laptop can open internet explore properly, the cursor may work when you tap the address space to type a Web site, but the site it does not point to the search space to find anything except the right button. What is the problem? Harry
When you try to search it's inside Windows or Internet explore?
When is this last work fine?
You did changes to the computer?
Has it worked before, then you can try to run the system restore and check if that helps;)
-
RVL200 - SSL VPN and firewall rules
Forgive my ignorance, but I have been immersed in the configuration of this device RVL200 to allow Remoting SSL VPN to a customer site, sight unseen. I have the basics of the VPN set up in config, but now move the firewall rules. We want to block all internal devices to access the Internet, but I don't want to cripple the remote clients that will be borrowed by blocking their return via the SSL VPN traffic. This leads to my questions:
(1) a rule of DENIAL of coverage for all traffic OUTBOUND will prevent the primary function of the VPN (to allow the administration away from machines on the local network)?
(2) if the answer to #1 is 'Yes', what ports/services do I need to open the side LAN?
(3) building # 2, configuring authorized outbound rules apply only for VPN clients, rather than all the hosts on LAN?
(4) as the default INCOMING traffic rule is to REFUSE EVERYTHING, do I have to create a rule to allow the VPN tunnel, or guess that in the configuration of the router?
Here are some other details:
- The LAN behind the RVL200 is also isolated LAN in a manufacturing environment
- All hosts on this network have a static IP address on a single subnet.
- The RVL200 has been configured with a static, public IP on the WAN/INTERNET side.
- DHCP has been disabled on the RVL200
- Authentication to the device will use a local database.
- There is no such thing as no DNS server on the local network
- The device upstream of the RVL200 is a modem using PPPoE DSL, and the device has been configured for this setting.
- Several database of local users accounts were created to facilitate the SSL VPN access.
I worked with other aspects of it for a long time, but limited experience with VPN and the associated firewall rules and zero with this family of aircraft. Any help will be greatly appreciated.
aponikikay, there is no port forwarding necessary to the function of the RVL200 SSL - VPN.
Topic 1. That is not proven. It shouldn't do. The router should automatically make sure that the SSL - VPN router service is functional and accessible.
Re 2. No transfer necessary. In addition, never before TCP/UDP port 47 or 50 for VPN functions. The TCP 1723 port is used for PPTP. UDP 500 is used for ISAKMP. You usually also to transmit TCP/UDP 4500 port for IPSec encapsulation.
Let's not port 47. ERM is an IP protocol that is used for virtual private networks. It is a TCP or UDP protocol. GRE has 47 IP protocol number. It has nothing to do with TCP or UDP port 47. TCP and UDP are completely different protocols of free WILL.
It goes the same for 50: ESP is the payload for IPSec tunnels. ESP is the Protocol IP 50. It has nothing to do with TCP or UDP port 50.
'Transfer' of the GRE is configured with PPTP passthrough option.
'Transfer' of the ESP is configured with IPSec passthrough option.
-
site2site distance-VPN and access-PIX - no way?
I have,
I have a problem wrt site2site & VPN remote access on a PIX:
My setup is as follows: PIX (6.3) puts an end to two a site2-site VPN and also should the remote access service clients using the client VPN Cisco (4.0.x).
The problem is with remote access VPN clients, obtain an IP address on their VPN interface, but customers cannot reach anything. (Please note that the site2site VPN runs without problem)
To be precise (see config-excerpts below):
The customer, who has 212.138.109.20 as its IP address gets an IP 10.0.100.1 on his card-VPN which comes from the "vpnpool of the pool.
configured on the PIX. This customer relationships to reach servers on interface 'inside' of the PIX as 10.0.1.28.
However, the client cannot achieve * nothing *-a server on the inside or anything like that (e.g. Internet) outside!
Using Ethereal traces, I discovered that the packets arrive inside interface coming 10.0.100.1 (IP address of the)
VPN - client). I also see the response from the server (10.0.1.28) to 10.0.100.1. However for some reason any package does not thanks to
the PIX to the customer. PIX-newspapers also show packets to and from the VPN client to the inside interface - and * no. * drops. So to my knowledge the packets from server to the VPN client really should be done through the PIX.
I have attached the following as separate files:
(o) the parts of the PIX config
(o) packets showing PIX-log between the VPN client and the server (s) on the interface inside
(o) ethereal-trace done inside the watch interface also packets between VPN client and server (s)
I have really scratched my head for a while on this one, tested a lot of things, but I really don't know what could be a problem with my
config.
After all, it really should be possible to run site2site - and on the same PIX VPN remote access, shouldn't it?
Thank you very much in advance for your help,.
-ewald
I think that your problem is in your ACL and your crypto card:
access-list 101 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 101 permit ip 10.0.3.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 101 permit ip 10.0.1.0 255.255.255.0 10.0.100.0 255.255.255.0
correspondence address 1 card crypto loc2rem 101
This means that this map correspond to these addresses. But your dynamic map is one that must match 10.0.100.0, 10.0.1.0 traffic because your pool local ip is 10.0.100.x. I think what is happening is that the return traffic from the lan to vpn clients trying to get out of the static tunnel, which probably does not exist (for the netblocks - you probably have a security association for each pair of netblocks, but not for vpn clients) and so do not.
I would recommend adding these lines:
access-list 105 allow ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 105 allow ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 105 permit 10.0.3.0 ip 255.255.255.0 10.0.2.0 255.255.255.0
no correspondence address 1 card crypto loc2rem 101
correspondence address 1 card crypto loc2rem 105
Then reapply:
loc2rem interface card crypto outside
-
Hello
I currently have a RV042G in my company. It works fine, but I was looking for a solution that would allow me to use VPN so that I can tunnel inside and then again connect to the internet via the tunnel. I want to have a way secure to connect to internet from my laptop while I am travelling and prefer to build my own VPN and do it myself.
If I understand correctly, the RV042G does not allow this and it only access to the local network via the tunnel. What would be the next router allowing him to fill this purpose?
Thank you!
Hi rodman
These devices work fine, you can also use third-party software not only software from Cisco to use the VPN features. On subscriptions, IAPH supports more special features such link Protect and IP addresses and you can have and buy a subscription in order to add these features to your device, however, if Don t you want what they you don t have to buy.
Cisco provide one of the best support, it has plenty of support, it is possible via chat, email or telephone, it also provide assistance free of charge for the users of this forum if you don t buy a warranty
I hope you find this answer useful,
* Please answer question mark or note the fact other users can benefit from the TI *.
Greetings,
Johnnatan Rodriguez Miranda.
Support of Cisco network engineer.
-
The ID attribute of the station call needs for Anyconnect VPN client MAC address
Hi all
We test tring Anyconnect VPN users to connect using the certificate. ASA East of validation / authentication user based on cert and approval it requires Radius server (ISE). Currently ASA sends the Ip address of the VPN client in «calling station ID» We want ASA to send the Anyconnect VPN client MAC address to the radius server in RADIUS attribute «calling station ID» Is it possible to do this. Get around them?
Parag salvation,
The calling Station ID always contains the IP if Anyconnect VPN.
L3 is originally unlike wireless which has L2 Assoc.
Currently no work around.
Respect of
Ed
-
Research by ASA &; ISP address space
Hi all
Maybe a stupid question. One of my clients planning on creating RDP access to some servers sitting on 'Inside' of ASA5510. Customer asked pulic ISP 24 address space and had a 1.1.1.0/24 (ips changed). In addition, ISP customer provided with ASA ouside I / f IP: 2.2.2.2/30 and default gateway for ASA (modem Internet service providers) such as 2.2.2.1/30.
So what is the best way to use the ISP assigned public IPs to provide RDP access to servers on the inside... ? Can I assign 1.1.1.1/24 to ASA inside and can create a "No. NAT' to access internet and RDP.
Or I thought initially to have NAT with ip pvt in-house system (wasn't aware of public ip address space required). So is it possible using the same ip address space pvt and assigned/24 ip addresses to create Internet/RDP access?
Help for config links is appreciated.
Thank you inadvance
MS
"I thought initially to have NAT with ip pvt in-house system (wasn't aware of public ip address space request)." Is it so possible using the same pvt ip address space and assigned/24 ip addresses to create Internet/RDP
access? "
Upsolutely possible and the best to do as you have thought about it.
If I understand correctly: Please correct me otherwise!
1. you have ASA5510, outside of the interface with the IP public 2.2.2.2/30
2 - ISP router with IP 2.2.2.1/30
Gives 3 - Customer ISP 254 public IP addresses using client on another beach 1.1.1.0/24
Well, you can do the following if you do not have inside the configured IP interface.
1 - ASA5510 inside can be any subnet ip to any of the reserved private beaches. For your inside interface you can use one of the below private beaches.
i 10.0.0.0 through 10.255.255.255
II - 172.16.0.0 to 172.31.255.255
III - 192.168.0.0 to 192.168.255.255
Assume that you have inside the 172.16.1.1/24 interface
If you have:
ASA5510 outside interface IP: 2.2.2.2/30
ASA5510 inside the interface IP: 172.16.1.1/24
for your ISP services new public IP range just create your one-to-one NAT in ASA5510
translations by using the new IP address of the ISP. Note that the ISP should route the new public IP address space to your ASA5510 outside interface, Im sure they know that.
As said, just create your static nat using the new public IP address, you can also create
If necessary global nat pools.
for example RDP access from outside with the public IP 1.1.1.100 coordinated to 172.16.1.50 PC inside the host
static (inside, outside) 1.1.1.100 172.16.1.50 netmask 255.255.255.0 0 0
outside_access_in list access permit tcp any host 1.1.1.100 eq 3389
Access-group outside_access_in in interface outside
for example, creating additional pools of global variables using the new IP PAT range.
Global 1.1.1.50 - 1.1.1.74 2 (outdoor)
Global (outside) 2 1.1.1.75
Rgds
Jorge
-
remote VPN and vpn site to site vpn remote users unable to access the local network
As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config
The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.
ASA Version 8.2 (2)
!
host name
domain kunchevrolet
activate r8xwsBuKsSP7kABz encrypted password
r8xwsBuKsSP7kABz encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group dataone
IP address pppoe
!
interface Ethernet0/1
nameif inside
security-level 50
IP 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
nameif Internet
security-level 0
IP address dhcp setroute
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
passive FTP mode
clock timezone IST 5 30
DNS server-group DefaultDNS
domain kunchevrolet
permit same-security-traffic intra-interface
object-group network GM-DC-VPN-Gateway
object-group, net-LAN
access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 Internet
IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
Enable http server
x.x.x.x 255.255.255.252 out http
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 65500 transform-set RIGHT
card crypto 10 VPN ipsec-isakmp dynamic dynmap
card crypto VPN outside interface
card crypto 10 ASA-01 set peer 221.135.138.130
card crypto 10 ASA - 01 the transform-set RIGHT value
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
Telnet 192.168.215.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
management-access inside
VPDN group dataone request dialout pppoe
VPDN group dataone localname bb4027654187_scdrid
VPDN group dataone ppp authentication chap
VPDN username bb4027654187_scdrid password * local store
interface for identifying DHCP-client Internet customer
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11 - 192.168.215.254 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Des-sha1 encryption SSL
WebVPN
allow outside
tunnel-group-list activate
internal kun group policy
kun group policy attributes
VPN - connections 8
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
kunchevrolet value by default-field
test P4ttSyrm33SV8TYp encrypted password username
username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
username kunauto attributes
Strategy Group-VPN-kun
Protocol-tunnel-VPN IPSec
tunnel-group vpngroup type remote access
tunnel-group vpngroup General attributes
address pool VPN_Users
Group Policy - by default-kun
tunnel-group vpngroup webvpn-attributes
the vpngroup group alias activation
vpngroup group tunnel ipsec-attributes
pre-shared key *.
type tunnel-group test remote access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto #.Hello
Looking at the configuration, there is an access list this nat exemption: -.
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
But it is not applied in the States of nat.
Send the following command to the nat exemption to apply: -.
NAT (inside) 0 access-list sheep
Kind regards
Dinesh Moudgil
P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community
-
I am an absolute techtard who was simply trying to free up memory card space so I can transfer songs on my BB to my iTunes on my Mac and of course fixing a problem leads to another and it really starts to avalanche.
Would be very grateful if anyone can help, here goes:
Technical specification:
Unlocked Pearl 8120, v4.5.0.55 (Platform 2.7.0.68) software, I don't know if this is relevant, but I'm using this in Hong Kong.
How I messed up:
1 tried to format media card, but he refuses to let me do if BB is hooked to the Mac or offshore. Also only went the battery.
2. media checked card: total space is 970 MB and I only left 144KO. Weird because I have a few pictures and notes other than the email service and I just cleaned my cache of box and the browser of sms.
3. delete unnecessary files: a few photos and memos remain, but they cannot take that much space I think
4. search through forum discussions: decided to try cleaning the memory.
5 save address book and address book - all (no idea what the difference is, but all the two doing anyway) on the BB Desktop Manager, saved memos upward as well.
6. permit the garbage collection. Map of recorded media. Status quo.
7 checked another forum thread that says I can, and that you should remove "Address book" of garbage collection service.
8. panic and I tried to remove the 'address book' but it wasn't an option. Decided to clean all other components one by one in the hope to make more room, chose 'Search certificate' and he cleaned my complete address book.
9 returned to BB Desktop Manager, Contact selected and clicked "restore." At both options i.e. full and partial restoration for the address book and address book - all.
My directory is always empty.
Tried to restore my memos too but BB Desktop Manager doesn't show me how do or no results under the help section of return. Mode techtard true, then check my memos - always there. Phew. These are emails and sms - are.
Since I am a techtard, I didn't save my address book on my Mac (which would be the next big leap after I synced my BB with my Mac tonight).
So it was back to discussions of the forum again and I saw one that said "uninstall the RIM DTM software, then reinstall it" of sdgardne. I do not have this stuck under his wire because I'm dead desperate for some attention, so I thought I would start a fresh appeal for help instead.
My fear is that if I uninstall the software RIM DTM, then I'll lose all my addresses and memos. Isn't it based? Are there other solutions at all?
I apologize for this long a spiel but I hope that the information could be useful to anyone who is kind enough to accumulate his brain to help out me here.
Thanks heaps!
Hi JSanders,
Obstacles such as a switch office of personnel IT delayed my thanks for your advice... I didn't have any backup and has been quietly sad / happy for a few days for the sudden wipeout so miraculously reappeared all addresses.
My outgoing HE said guy thanks to my Mac office and Outlook software - it was not very useful and does not specify because it was really flooded in his last days at work. New this GUY was looking to highlight a little so it took me a while to understand how save my address book (BB Gmail and Apple address book) and empty the memory card (multimedia card somehow reformatting tried-tested-guaranteed solution) escaped me.
So everything is in working order, very much appreciate your advice and IrwinII too! Keep well!
-
I have an ASA 5510 with active VPN for remote access service. Users can log in and access inside resources without problem. the question is the servers in the DMZ, as the web server, they cannot access. Is there an easy way to allow access for users of VPN and?
Thank you
That will allow you to reach your dmz servers. For example if the demilitarized zone is 192.168.1.0, you can press their DMZ address 192.168.1.x etc. servers.
Your other option is to use split tunneling, which would allow you to access the servers through their public ip addresses that are translated in the SAA.
-
Hi all
I have a strange architecture including VPN and I have a few problems that I am not able to solve:
-J' use the ssl vpn gateway to allocate internal IP addresses of the local network described in the schema (8.8.2.0 or 8.8.3.0 according to the tunnel-group network.
-The purpose is for vpn clients directly access the internal network.
This works very well if there are strictly internal communications within the network. But recently, we have installed an application that needs to access both networks. No problem, I thought, but I was wrong, there seems to be a problem of routing inherent in the architecture in place.
Let me explain the problem:
-When I access the VPN, for example I will gave the 8.8.3.5 ip address.
-Im running the application that needs to open a page on the web server, located at 8.8.2.120
-l'asa receive my tcp syn datagram and forward it directly to the directly connected interface fa0/1 (based on the routing table)
-the web server returns the response, but he sends on its default gateway which is the cisco 6509.
-6509 it sends its vlan svi 2000
- and finally the ASA it receives on its interface fa0/2 but seems he falls as she opened a tcp on fa0/1 connection and receives the response on fa0/2.
I want it's traffic by tunnel to bypass the connected roads and transmit it to a default gateway of tunnel. This would ensure that the path for the request and the response would be the same.
I would like to know if there are orders of debugging for routing decisions validate my theory?
Do you know of any response to solve this problem?
Thanks a lot for your help.
When you configure the TCP State derivation always think ' which way is the SYN package coming?
Routing failed messages always have source and destination, are of course copied the entire message?
BTW, instead of letting clients SSL addresses attributed to vlan2000? Why not give them a separate subnet and the road back via correct interface?
I would also check your config and the routing :-) table
Marcin
-
CSA with the Client VPN and remote access
Hello world!
I have the folowing isue: I have to tune in to the CSA for a clinet it connects remote with VPN Client only. He should not be able to connect to any other network or lan or dial-up.
No idea what the policy should change or tune?
Thank you
You can create an access network rule that depends on a State of the system. The State of the system can be defined to have a game of skill, which belongs to the range of VPN and the network access rule would declare that the client computer cannot act as a server on UDP/TCP ports when the State of the system is ensured.
So, if the laptop is not connected to the VPN, it would not be able to act as a server for connections to all and will be locked out. You will need to create an exception for the IP address of the VPN server to your corporate offices and allow the CSA client opening these ports.
Maybe you are looking for
-
Hi - I've changed my Apple ID a year ago. For these last days, I get messages saying: my Mac cannot connect with icloud and gives the e-mail address of old and obsolete, that I stopped using it a year ago. I ' ved checked my details with the system A
-
After you download Firefox 4, my Google toolbar has disappeared. The new F4 page has no opinion, etc. to tools at the top. WHY I would risk this again by accepting the invitation to download 5?
-
iBooks is not working on iPad 3
WWhen I tap the app opens on my book and stops immediately
-
How to uninstall corrupted NI Measurement &; Automation Explorer?
Hello I have problem to install LabView 2012 and all components, cos does not properly uninstall my version previous (2012). I have LabView_Fall_2012 and NI_Device_Drivers_August2012 and Win7 x 64. (try to install it on a partition not OS). Now when
-
Your business contact people by phone about computer problems? I have never contacted Windows on any issue with my computer, but I got two calls from someone claiming to be Windows and telling me they call about a problem they see with my computer.