VPN l2l migration issue
We have a few sites that all VPN to an ASA, ASA becomes a new IP address, I can configure, and new crypto card with a sequence with the same traffic number interesting?
The ASA that it will try if it cannot reach the old IP?
In VPN crypto card you should not introduce overlap, but you can add several counterparts at the entrance of crypto card. Or use a dynamic entry without any IP peer.
Tags: Cisco Security
Similar Questions
-
If anyone can help with control of packet - trace to migrate to l2l ipsec vpn
on ASA (one)
ciscoasa # packet - trace entry outside tcp 10.10.1.2 12345 192.168.1.2 80
ASA (one)
Ip address inside - 192.168.1.2
Destination port 80
ASA (b)
Inside - 10.10.1.2 ip address
Port source 12345
Hello
So if your host 'inside' is 192.168.1.2 and the 'outside' host is 10.10.1.2 then you could just what follows
Packet-trace entry inside tcp 192.168.1.2 12345 10.10.1.2 80
If the goal is just to test the VPN negotiation then the ports are not really important, but naturally tested traffic with "packet - tracer" must be authorized by your interface "inside" ACL. The essential is that the source address and destination match the VPN L2L (Crypto ACL) configurations
Generally you would use NAT0 for these networks the and remote so NAT should not be a problem to test from that direction. I suppose there might be rare situations where using the command in this sense is not possible
-Jouni
-
Add the existing network of VPN l2l
I have properly configured VPN l2l between our main site and 2 offices. Now, I would like to allow additional networks on the main site to access the branch sites. Here the doc of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fad90.shtml) presents a method to do this by adding an additional interface. Is it possible to do without the addition of an interface?
Here are the relevant config on the main site ASA (8,0) and one of the remote PIX (7.0):
=========================
ASA (main site)
access extensive list ip 172.16.0.0 outside_1_cryptomap allow 255.255.255.0 172.16.29.0 255.255.255.0
access extensive list ip 172.16.1.0 outside_1_cryptomap allow 255.255.255.0 172.16.29.0 255.255.255.0
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set 24.97.x.x counterpart
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
=========================
PIX (remote site)
access extensive list ip 172.16.29.0 outside_cryptomap_20_2 allow 255.255.255.0 172.16.0.0 255.255.255.0
access extensive list ip 172.16.29.0 outside_cryptomap_20_2 allow 255.255.255.0 172.16.1.0 255.255.255.0
card crypto outside_map 20 match address outside_cryptomap_20_2
card crypto outside_map 20 peers set 204.14.x.x
outside_map card crypto 20 the transform-set ESP-3DES-MD5 value
Just add valuable traffic to your access lists. New = 172.16.2.0/24 network
ASA (main site)
outside_1_cryptomap to access extended list ip 172.16.2.0 allow 255.255.255.0 172.16.29.0 255.255.255.0
PIX (remote site)
access extensive list ip 172.16.29.0 outside_cryptomap_20_2 allow 255.255.255.0 172.16.2.0 255.255.255.0
Don't forget your nat exemption acl as well. For example...
ASA (main site)
extended access-list allow ip 172.16.2.0 255.255.255.0 172.16.29.0 255.255.255.0
PIX (remote site)
permit extended access list ip 172.16.29.0 255.255.255.0 172.16.2.0 255.255.255.0
-
Question of redundancy VPN l2l using 2811 as endpoint devices
I have a new implementation of VPN L2L passes using two 2811 s than VPN terminal devices. I'll try to use the HSRP address between the public interfaces of both routers as VPN peer address. The problem that I found during the test is that the tunnel will become active and debugs watch the HSRP address as an invalid address to form the tunnel. Have a work-around, or a better plan for redundancy on peering address using similar devices? Thanks in advance.
Take a look at this doc about IOS IPSec HA.
-
Go simple configuration of vpn L2L comply with security requirements
Hello
I have successfully install a L2L connection (5510, 7.2) and a 3rd party (SonicWall).
Security requirements are such that (contractors) to our office users to connect to various devices to the 3rd party, BUT nothing to the 3rd party must connect to what be it at our office.
I tried an outbound ACL (access-group L2L-RESTRICT the interface inside) inside the interface. But the funny thing is that I'm getting hits on the declarations of refusal on the ACL, although tests show no problems for you connect to multiple hosts to our site of the 3rd party. My ACL config looks like the following:
<..snip..>
Note to L2L-RESTRICT access-list * ATTENTION * WITH CAUTION - RESTRICTIONS ON the 3rd PARTY VPN L2L
L2L-RESTRICT access-list scope allow icmp 192.168.16.0 255.255.255.0 10.180.21.0 255.255.255.0 echo-reply
deny access list L2L-RESTRICT the scope ip 192.168.16.0 255.255.255.0 no matter what newspaper
Note to L2L-RESTRICT access-list > NOTE< last="" line="" *must*="" be="" permit="" any="">
L2L-RESTRICT access-list scope ip allow a whole
!
L2L-RESTRICT the interface inside access-group
<..snip..>
Their network is obviously 192.168.16.x and they won't be able to use a vlan from different source as "interesting traffic" ACL won't allow it. So that sounds good in theory
I have it configured correctly? Is there a better way?
Thanks in advance,
Mike
Mike,
It seems that you might be able to assign a VPN ACL filter via a group assigned to each tunnel L2L policy. I have never done this personally before, but looks like it would work...
-
Do not do a ping ASA inside IP port of the remote site VPN L2L with her
The established VPN L2L OK between ASA-1/ASA-2:
ASA-2# see the crypto isakmp his
KEv1 SAs:
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: 207.140.28.102
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
There are no SAs IKEv2
QUESTION: 3750-2, we ping 3750-1 (10.10.2.253) are OK, but not ASA-1 inside port (10.10.2.254).
Debug icmp ASA-1 data:
ASA-1 debug icmp trace #.
trace of icmp debug enabled at level 1
Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 0 len = 72
ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 0 len = 72
Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 1 len = 72
ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 1 len = 72
Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 0 len = 72
Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 1 len = 72
Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 2 len = 72
Make sure you have access to the administration # inside
lt me know f This allows.
-
ASA5510 VPN L2L cannot reach hosts on the other side
Hello experts,
I have an ASA5510 with 3 VPN L2L and remote VPN access. Two VPN L2L, Marielle and Aeromique no problem, but for VPN ASPCANADA, to a host behind the ASA 192.168.100.xx, I can't reach 57.5.64.250 or 251 and vice versa. But the tunnel is up. Can you help me please, thank you in advance.
Add these two lines to the NAT 0 access list:
inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.251
inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.250
Also make sure this reflection of these statements are also in the distance of the ASA NAT 0-list of access.
Test and validate results
HTH
Sangaré
Pls rate helpful messages
-
VPN l2l failed inside on ASA 5520 (8.02)
VPN l2l is dropping packets to Phase 5 because of a rule configured. I have an isakmp his but the client cannot connect to the destination here in my network. I'll post my config to access list at the bottom of the Packet-trace output.
vpnASA01 # entry packet - trace within the icmp [10.0.0.243] 0 8 10.97.29.73 det
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xc92087c8, priority = 12, area = capture, deny = false
hits = 85188209121, user_data = 0xc916a478, cs_id = 0 x 0, l3_type = 0 x 0
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xc87f1f98, priority = 1, domain = allowed, deny = false
hits = 85193048387, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0000.0000.0000
Phase: 3
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new stream
Phase: 4
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.0.0.0 255.0.0.0 inside
Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DECLINE
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xc87f3670, priority = 111, domain = allowed, deny = true
hits = 67416, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 4000, protocol = 0
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
the output interface: inside
the status of the output: to the top
output-line-status: to the top
Action: drop
Drop-reason: flow (acl-drop) is denied by the configured rule
= ACCESS-LIST + Config =.
the object-group L2LVPN-blah_local network
network-object 10.97.29.73 255.255.255.255
the object-group L2LVPN-blah_remote network
network-object [10.0.0.240] 255.255.255.240INBOUND_OUTSIDE list of allowed ip extended access object-L2LVPN-blah_remote L2LVPN-blah_local group object
L2LVPN-blah_obj allowed extended ip access-list object-L2LVPN-blah_local group L2LVPN-blah_remote
access-list SHEEP extended permits all ip [10.0.0.243] 255.255.255.240
Route outside [10.0.0.240] [10.97.29.1] 255.255.255.240 1
address for correspondence card crypto outside-VPN 46 L2LVPN - blah_obj
peer set card crypto VPN-exterior 46 [10.0.0.243]
outside-VPN 46 transform-set esp-sha-aes-256 crypto card
outside-VPN interface card crypto outsideIPSec-l2l type tunnel-group [10.0.0.243]
IPSec-attributes of tunnel-group [10.0.0.243]
pre-shared-key *.[10.0.0.1] is to protect the global addresses of clients. Assume that these are still used in place of the current range of intellectual property. 10.0.0.240/28
===========================================
Thanks in advance.
Michael Garcia
Profit Systems, Inc..
Hi Michael,
-Is the IP peer really part of the network that make up the field of encryption?
-Is the ACL INBOUND_OUTSIDE applied (incoming) inside or outside interface (inbound)? It is the current form, it would need to be on the external interface.
-You specify the peer IP only in the ACL SHEEP, so all other traffic is NAT would and eventually denied because it does not match the field of encryption
Someone else may have a few ideas, but these are questions I have for the moment.
James
-
Redirect peer tunnel VPN L2L ina
Question of curiosity... I have 2 new ASA5515 which I put up for an improvement of the equipment. In the time before I swap them I am using them as a sort of laboratory of fortune to get him going to setup VPN L2L. I didn't use current IP addresses for the test environment, so I used false numbers.
My question is: can I go back and change the IP address peer and address local/remote without having to tear them up to specifications plant again?
-Do I have reprint just the type of Tunnel-Group IPsec-l2l X.X.X.X command with the IP address?
I know that there are a few other of the region that I have to change the IP of both peers, but just of my question is, I can do or do I have to start over?
-Jon
Jon
You should not reconfigure from scratch if that's what you're asking.
You just need to change the peer IPs everywhere where they appear in your configuration.
Jon
-
Using VPN L2L static and dynamic dedicated tunnels
We have an ASA 5510 running 8.0 at our company headquarters. We have remote sites who need to create VPN L2L at the HQ ASA tunnels. Some remote sites have static IP addresses and others have dynamic IP addresses.
I found documentation Cisco L2L static IP VPN tunnels and make them work. I found another Cisco documentation for static IP dynamic L2L VPN tunnels using the tunnel-group "DefaultL2LGroup".
My question is, can you have two types of tunnels on the same ASA L2L? If so, simply by using the definitions of "DefaultL2LGroup" tunnel-group and
of tunnel-group work? Is there a reason to not do? Is better technology (ASA HQ and a combination of ASA 5505 and 1861 at remote sites) available? Yes, you can have both types of tunnels L2L. If you use a PSK - remember that the IP address of the remote site is used to 'validate' to connect to Headquarters. As long as you use a sure PSK = 64 characters and all with upper/lower case alpha numeric - you should be OK.
A better way to do it - is to get the static IP addresses for the site that currently have DHCP from ISP.
HTH >
-
RA VPN VPN L2L via NAT strategy
Scenario: we have remote access VPN users who need to access a VPN L2L by ASA even outside the interface. This particular VPN L2L is a partner that requires us to NAT (192.168.x.x) addresses to another private address (172.20.x.x). We also access VPN L2L to internal hosts. NATing to the partner is accomplished through a NAT policy.
Our remote VPN users cannot access the L2L VPN. It seems that the host address VPN (assigned through RADIUS) is not in THAT NAT would not, even if it is in the range object.
"Group" is configured and works for the other VPN.
NO - NAT ACL does not seem to be involved (which it shouldn't), as the address of the internal host (192.168.60.x) is not NAT to be the public address.
Internal hosts that can access the VPN tunnel very well.
Here are the relevant config:
permit same-security-traffic intra-interface
the OURHosts object-group network
host 192.168.1.x network-object
host 192.168.2.x network-object
object-network 192.168.60.0 255.255.255.0
the PartnerHosts object-group network
network-host 10.2.32.a object
network-host 10.2.32.b object
network-host 10.2.32.c object
access-list extended NAT2 allowed ip object-group OURHosts-group of objects PartnerHosts
Global (OUTSIDE) 2 172.20.x.x
NAT (INSIDE) 2-list of access NAT2
The syslog error we receive:
% ASA-4-402117: IPSEC: received a package not IPSec (Protocol = ICMP) 10.2.32.a to 192.168.60.x
Yes. According to the config that you posted, there is no command currently in no place in vpn nat clients the RA to the hairpin above the tunnel.
The inside of our customers work due to "nat (INSIDE) 2 NAT2 access-list. But because your VPN RA customers coming from "OUTSIDE", this statement by nat would have no effect on them.
-
Summary:
We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.
My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.
Here is the config:
# #List of OUR guests
the OURHosts object-group network
network-host 192.168.x.y object
# Hosts PARTNER #List
the PARTNERHosts object-group network
network-host 10.2.a.b object
###ACL for NAT
# Many - to - many outgoing
access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts
# One - to - many incoming
VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group
# #NAT
NAT (INSIDE) 2-list of access NAT2
NAT (OUTSIDE) 2 172.20.n.0
NAT (INSIDE) 3 access-list VIH3
NAT (OUTSIDE) 3 172.20.n.1
# #ACL for VPN
access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group
access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list
# #Tunnel
tunnel-group
type ipsec-l2l card
<#>crypto is the VPN address card crypto
<#>the value transform-set VPN card
<#>crypto defined peer I realize that the ACL for the VPN should read:
access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list
access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list
.. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.
What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?
Thanks in advance.
Patrick
Here is the order of operations for NAT on the firewall:
1 nat 0-list of access (free from nat)
2. match the existing xlates
3. match the static controls
a. static NAT with no access list
b. static PAT with no access list
4. match orders nat
a. nat [id] access-list (first match)
b. nat [id] [address] [mask] (best match)
i. If the ID is 0, create an xlate identity
II. use global pool for dynamic NAT
III. use global dynamic pool for PAT
If you can try
(1) a static NAT with an access list that will have priority on instruction of dynamic NAT
(2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.
I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.
Jon
-
Hi all
I need to create a VPN L2L tunnel between us and another local company. We use a 3845 router and the other carrier uses a 3745 router. I created a lot of VPN tunnels in the past using NAT. In this case, I don't have to. is it possible for a tunnel VPN work with the same configuration without using NAT. My router and the device being connected to all have a public IP address on the same subnet.
Thank you
Stevan
Hello
Yes, you can create L2L without having to use NAT.
See the examples of configuration (under VPN Site to Site with PIX/IOS):
http://www.Cisco.com/en/us/partner/products/HW/vpndevc/ps2030/prod_configuration_examples_list.html
Before that, you have probably more experience configuration tunnel as shown in the url below:
Rgds,
AK
-
Direct specific ports down a VPN L2L
I have a client who is trying to use an ISP hosted web filtering and content management a gateway, the ISP wants to use and L2L ISPEC VPN on site at their front door to control the traffic. Today we have the tunnel with an ACL test for peripheral test side customer down the tunnel, but that it blocks all traffic that is not being analyzed. The problem is that they are on an ASA 5510 with 8.2.2. You cannot add ports tcp in the ACL sheep, it error when you try to apply the nat 0 access-list statement sheep (inside). We can define the ports to go down the VPN traffic interesting ACL with number, but there is no way to send just the web ports down the VPN and allow the other ports on regular overflow interface NAT I was look in 8.4 and see if it allows a policy NAT (twice the NAT for virtual private networks) to set a port to a range of IPS (IE (: nat static destination WEBINSPECT-WEBINSPECT (indoor, outdoor) static source a whole) but who only define as web ports.
I do not have an ASA test to use, but I guess that vpn l2l will be only by IP and I can not define a port tunnel.
In any case, it is a strange, but the ideas are welcome. I don't think it's possible, but I thought I'd see if anyone encountered at the front.
Hello
Well to give you a simple example where we use the double NAT / manual transmission NAT to handle traffic
For example a configuration example I just did on my 8.4 (5) ASA
The following configuration will
- Set the 'object' that contains the source network for NAT
- Set the 'object' that contains the service for NAT
- Define the real NAT
The real NAT is going to make any connection from the network under 'Wireless' network object to the destination port TCP/80 will be sent 'WAN' interface without NAT
Of course it is the next step with VPN L2L network under 'network wireless of the object' would correspond to the ACL of VPN L2L. But that seemed straight forward for you already
the subject wireless network
10.0.255.0 subnet 255.255.255.0
service object WWW
Service tcp destination eq www
NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service
The following configuration will
- Define the "object-group", that defines networks of the source of the rule by default PAT for Internet traffic
- Set the 'object' for the PAT address (could just use 'interface' instead of the 'object')
- Define the real NAT
The NAT configuration will just make a rule by default PAT for the wireless network. The key thing to note here is that we use the setting "auto after." This basically inserts the NAT rule to the priority of the very bottom of the ASA.
object-group, network WIRELESS-network
object-network 10.0.255.0 255.255.255.0
network of the PAT object - 1.1.1.1
host 1.1.1.1
NAT (WLAN, WAN) after the automatic termination of wireless - NETWORK PAT dynamic source - 1.1.1.1
Now we can use the command "packet - trace" to confirm that the NAT works as expected.
WWW TEST-TRAFFIC
ASA (config) # packet - trace 12355 1.2.3.4 entry WLAN tcp 10.0.255.100 80
Phase: 1
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service
Additional information:
NAT divert on the output WAN interface
Untranslate 1.2.3.4/80 to 1.2.3.4/80
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service
Additional information:
Definition of static 10.0.255.100/12355 to 10.0.255.100/12355
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 5
Type: NAT
Subtype: rpf check
Result: ALLOW
Config:
NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service
Additional information:
Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional information:
Phase: 9
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 1727146 id, package sent to the next module
Result:
input interface: WLAN
entry status: to the top
entry-line-status: to the top
the output interface: WAN
the status of the output: to the top
output-line-status: to the top
Action: allow
TEST FTP - TRAFFIC
ASA (config) # packet - trace entry tcp 10.0.255.100 WLAN 12355 1.2.3.4 21
Phase: 1
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 0.0.0.0 0.0.0.0 WAN
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 3
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
Policy-map global_policy
class inspection_default
inspect the ftp
global service-policy global_policy
Additional information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (WLAN, WAN) after the automatic termination of wireless - NETWORK PAT dynamic source - 1.1.1.1
Additional information:
Definition of dynamic 10.0.255.100/12355 to 1.1.1.1/12355
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 6
Type: NAT
Subtype: rpf check
Result: ALLOW
Config:
NAT (WLAN, WAN) after the automatic termination of wireless - NETWORK PAT dynamic source - 1.1.1.1
Additional information:
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional information:
Phase: 10
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 1727154 id, package sent to the next module
Result:
input interface: WLAN
entry status: to the top
entry-line-status: to the top
the output interface: WAN
the status of the output: to the top
output-line-status: to the top
Action: allow
As you can see traffic TCP/80 corresponds to rule on the other. And the FTP used for example corresponds to rule by default PAT as expected.
If you want to know a little more about the new NAT 8.3 format + you can check a document I created
https://supportforums.Cisco.com/docs/doc-31116
Hope this helps you, please mark it as answered in the affirmative or rate of answer.
Naturally ask more if necessary
-Jouni
-
ASA 8.4. (1) VPN L2L can only be established through default gateway
Hi all!
We have an ASA 5510, with two internet connections. A destined for VPN l2l and the other to access inet users in general.
On asa 8.04, I configured the encryption on inteface "VPNAccess" card and a static route on the remote peer L2L with access internet VPN, the default rotue pointed the router General inet.
We bought a new firewall with 8.4.1 and now asa only tries to open the remote if peer traffic is on the default gateway.
It does not take into account routes more specific (I mean longer masks) and always tries to use the gateway by default, but only for VPN, if I do a trace to that peer route, it uses the routing table correctly.
Any advice?
Thank you!
Well well, (any, any) certainly does not help.
You need to be more specific, otherwise, even once, as suggested earlier, he does not know which interface to use because you don't have specify it.
In addition, you must also be precise with the source network and destination. Otherwise, the firewall will not know which interface the subnet should be connected to.
More precise best for NAT statement.
NAT (, PublicTESAVPNBackup) source static static destination
Maybe you are looking for
-
Need to identify the particular SEO plugin
Just had my PC upgraded to Windows 7 and lost all my Firefox plugins. I had a particular SEO plugin that would show changes in the ranking for each URL in the Google search results (as a + XX, XX - or a disc orange if no change). Does anyone know whi
-
Satellite L300 not connect to Netgear router
Hi, I wonder if someone can help me. I recently installed a Netgear wireless home router. Although the Mac laptops and iPod in the House have all connected without any problems my Satellite L300 (PSLB8A-0VK004) is not.Curiously however Island L300 co
-
Hello I have HP PSC 1402 printer but it is not printing. The display shows only the number 3. The red lamp will Flash. Best regards Peter
-
bought the laptop in October last year still have not yet received my update 7?
Hello my name is Alex. I bought this computer in October November last year. I was promised a free upgrade to windows 7, when I bought the computer from 'Best Buy '. Know we never explained how I had received the free upgrade. Can anyone help?
-
for hp laptop d008se, boot usb drive not in the sequence of boot in the bios!
I have purched a HP Notebook Laptop (HP D008se) model with Win 8.1 only language X.64 bits. I want to boot from a USB key, I went to the bios by(ESC+F10) and went to the boot order, but there is no USB drive only (hard USB, CD/DVD, network, the OS Bo