VPN NAT problem
I was informed by an outside vendor they need me to install a VPN site-to site on our ASA 5510/8, 4.
I have configured the VPN IPsec site to site, but they have a weird requirement. For some reason, they want me
NAT the server in question for 172.19.10.1/29, who already like a CARESS to the outside. Then, I would have
to create a policy NAT who said if 192.168.225.10 needs to access the 172.29.0.0/29 then NAT at 172.29.10.1.
My only concern is, the only connections on the SAA is the external interface that goes to the WAN, and a
internal interface that goes to a switch. There is no interface that has 172.29.10.0/29 this partner network.
I thought you could only NAT to an interface that has an address that is mapped to it.
The router connected to the ASA will never see that such intellectual property that it is located in the VPN tunnel. Only your IPSec peer sees this and if all goes well, he knows what to do with this address, if he asked that NAT.
Your NAT should be changed if the remote network is HCAS:
Static NAT to destination for the FSU HCASNAT static HCAS HCAS source (indoor, outdoor)
EDIT: This rule should be placed before your General NAT statement, which the ASA addresses the rules high NAT down.
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni
Tags: Cisco Security
Similar Questions
-
ASA 8.3 - SSL VPN - NAT problem
Need help to find how to configure anyconnect VPN with VPN client using a NAT networking internal.
There are many items on the side - how to disable NAT for vpn pool.
I need to create the gateway VPN to the complex international lnetwork, vpnpool is out of range of regular subnet of that network, so it's going to be questions witout NAT routing.
I so need to vpn clients connected to
be PATed to . The problem is that there is also a dynamic to PAT rule for the ordinary acccess Iternet which translates as 'rules NAT asymmetry... "error. Create two times different NAT rules and moving them on up/down makes no difference. There are also some hidden rules of vpn setup :-(that could not be seen.
V8.3 seems is destroying trust in Cisco firewall...
Thank you.
Stan,
Something like this works for me.
192.168.0.0/24---routeur--172.16.0.0/24 ASA-= cloud = host. (the tunnel he get IP address of 'over' pool, which is also connected to the inside)
BSNs-ASA5520-10 (config) # clear xlate
INFO: 762 xlates deleted
BSNs-ASA5520-10 (config) # sh run nat
NAT (inside, outside) static all of a destination SHARED SHARED static
!
NAT source auto after (indoor, outdoor) dynamic one interface
BSNs-ASA5520-10 (config) # sh run object network
network of the LOCAL_NETWORK object
192.168.0.0 subnet 255.255.255.0
The SHARED object network
172.16.0.0 subnet 255.255.255.0
BSNs-ASA5520-10 (config) # sh run ip local pool
IP local pool ALL 10.0.0.100 - 10.0.0.200
local IP ON 172.16.0.100 pool - 172.16.0.155
BSNs-ASA5520-10 (config) # sh run tunne
BSNs-ASA5520-10 (config) # sh run tunnel-group
attributes global-tunnel-group DefaultWEBVPNGroup
address pool ONIf I get your drift... bypass inside and outside is not really necessary on Cisco equipment as it should work straight out of the box via the proxy arp, but I'm not face or solution providers for remote access.
Marcin
-
ASA VPN (NAT problem)?
Hi people, I was hoping sopmeone on these forums might be able to help. I have some problem with a config for our ASA5510, functioning 8.2 (1)
I installed a VPN tunnel a firewall to vyatta off-site. The tunnel is up.
ABN-FW3-CISCO ASA5510 # show crypto ipsec his
Interface: outside
Tag crypto map: VPN_Zettagrid_Map, seq num: 10, local addr: 116.212.X.X
VPN_cryptomap list access ip 192.9.0.0 255.255.0.0 allow 192.168.11.0 255.255.255.0
local ident (addr, mask, prot, port): (192.9.0.0/255.255.0.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.11.0/255.255.255.0/0/0)
current_peer: 119.252.X.X
#pkts program: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 16, #pkts decrypt: 16, #pkts check: 16
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 14, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 116.212.X.X, remote Start crypto. : 119.252.X.X
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 670F3BF5Now I can pass information of the 119.252.X.X to our internal networks (192.9.0.0/16) vyatta (yes I know this is a wide audience, but it comes to the environment, I inherited, I'm running with a project to put private network addresses, but its not finished quite yet)
The problem seems to be information of ASA to the internal network behind the vyatta - 192.168.11.0/24.
When I check my syslog I get the following error: (this example has been a connection attempt mstsc)
: Inbound TCP connection deny from 192.9.216.190/60660 to 192.168.11.101/3389 SYN flags on the interface insideNow Im guessing this SYN message means that the ASA trying to NAT my outgoing packets... which is strange because I have configured a rule sheep. But when I do a show nat is the result:
ABN-FW3-CISCO ASA5510 # display nat inside
is the intellectual property inside 192.9.0.0 outside 192.168.11.0 255.255.0.0 255.255.255.0
Exempt from NAT
translate_hits = 0, untranslate_hits = 37 (this value does not change)Here is my config for NAT
Inside_nat0_outbound to access extended list ip 192.9.0.0 255.255.0.0 allow 192.168.11.0 255.255.255.0
Inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.255.255.0 192.168.11.0 255.255.255.0
Access extensive list ip 192.10.201.0 Inside_nat0_outbound allow 255.255.255.0 192.168.11.0 255.255.255.0(I have a separate ACL for interesting traffic)
VPN_cryptomap to access extended list ip 192.9.0.0 255.255.0.0 allow 192.168.11.0 255.255.255.0
VPN_cryptomap to access ip 10.0.0.0 scope list allow 255.0.0.0 192.168.11.0 255.255.255.0
Access extensive list ip 192.10.201.0 VPN_cryptomap allow 255.255.255.0 192.168.11.0 255.255.255.0
Global 1 interface (outside)
NAT (inside) 0-list of access Inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (dmz) 1 172.30.3.0 255.255.255.0
NAT (management) 1 192.10.201.0 255.255.255.0
NAT (dmz2) 1 172.30.2.0 255.255.255.0
static (inside, dmz) 192.9.0.0 192.9.0.0 255.255.0.0 subnet maskIm guessing that one of these rules is in conflict? Does nat (inside) 0 Inside_nat0_outbound access list take precedence over the nat (inside) 1 0.0.0.0 0.0.0.0?
I can post more if necessary config, any help at this point would be much appreciated
Hmm looks like you establish 192.168.11.0 who seems to be blocked by the ACL on the traffic of 192.9.0.0 inside the interface.
Please paste config ACL or see if that blocks this traffic.
Thank you
Ajay
-
Cannot ping inside the vpn client hosts. It's a NAT problem
Hello everyone, I'm running into what seems to be a cause of exclusion with an IOS IPSEC VPN NAT/nat. I can connect to the VPN with cisco IPSEC VPN client, and I am able to authenticate. Once I have authenticate, I'm not able to reach one of the guests inside. Below is my relevant config. Any help would be greatly appreciated.
AAA new-model
!
!
AAA authentication login default local
radius of group AAA authentication login userauthen
AAA authorization exec default local
AAA authorization groupauthor LAN
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group businessVPN
key xxxxxx
DNS 192.168.10.2
business.local field
pool vpnpool
ACL 108
Crypto isakmp VPNclient profile
businessVPN group identity match
client authentication list userauthen
ISAKMP authorization list groupauthor
client configuration address respond
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
Define VPNclient isakmp-profile
market arriere-route
!
!
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
interface Loopback0
IP 10.1.10.2 255.255.255.252
no ip redirection
no ip unreachable
no ip proxy-arp
IP virtual-reassembly
!
Null0 interface
no ip unreachable
!
interface FastEthernet0/0
IP 111.111.111.138 255.255.255.252
IP access-group outside_in in
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
inspect the outgoing IP outside
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
the integrated-Service-Engine0/0 interface
description Locator is initialized with default IMAP group
IP unnumbered Loopback0
no ip redirection
no ip unreachable
no ip proxy-arp
IP virtual-reassembly
ip address of service-module 10.1.10.1 255.255.255.252
Service-module ip default gateway - 10.1.10.2
interface BVI1
IP 192.168.10.1 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
IP nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25
IP nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443
IP nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389
IP nat inside source map route nat interface FastEthernet0/0 overload
nat extended IP access list
deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
refuse the 10.1.1.0 ip 0.0.0.255 192.168.109.0 0.0.0.255
ip licensing 10.1.1.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
sheep extended IP access list
permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
ip permit 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255
ip licensing 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255
outside_in extended IP access list
permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp
permit any any eq 443 tcp
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22
allow any host 111.111.111.138 esp
allow any host 111.111.111.138 eq isakmp udp
allow any host 111.111.111.138 eq non500-isakmp udp
allow any host 111.111.111.138 ahp
allow accord any host 111.111.111.138
access-list 108 allow ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255
!
!
!
!
route nat allowed 10 map
match ip address nat
1 channel ip bridge
In my view, the acl applied to customer is back. It must allow traffic from the internal network to the pool of customers.
To confirm, you can open the Cisco VPN client statistics (after login) then go in the route Details tab. We should see the networks you should be able to reach the customer. Make sure that the good ones are here.
Kind regards
-
Access remote VPN, no split tunneling, internet access. Translation NAT problem
Hi all, I'm new to the forum. I have a Cisco ASA 5505 with confusing (to me) question NAT.
Unique external IP (outside interface) with several translations of NAT static object to allow the redirection of port of various internal devices. The configuration worked smoothly during the past years.
Recently, I configured a without the split tunneling VPN remote access and access to the internet and noticed yesterday that my port forwarding has stopped working.
I reviewed the new rules for the VPN NAT and found the culprit.
I've been reviewing the rules again and again, and all I can think about and interpret it, I don't know how this rule affects the port forwarding on the device or how to fix.
Here's the NAT rules, I have in place: ('inactive' rule is the culprit. Once I have turn on this rule, the port forwarding hits a wall)
NAT (inside, outside) static source any any static destination VPN_Subnet VPN_Subnet non-proxy-arp-search to itinerary
NAT (outside, outside) static source VPN_Subnet VPN_Subnet VPN_Subnet VPN_Subnet non-proxy-arp-search of route static destination
NAT (outside, outside) source VPN_Subnet dynamic interface inactive
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
network of the XXX_HTTP object
NAT (inside, outside) interface static tcp www www service
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1Any help would be appreciated.
Try changing the nat rule to VPN_Subnet interface of nat (outside, outside) the after-service automatic dynamic source
With respect,
Safwan
-
Site to Site VPN of IOS - impossible route after VPN + NAT
Hello
I have problems with a VPN on 2 routers access 8xx: I am trying to set up a quick and dirty VPN Site to Site with a source NAT VPN tunnel endpoint. This configuration is only intended to run from one day only inter. I managed to do the work of VPN and I traced the translations of NAT VPN tunnel endpoint, but I couldn't make these translated packages which must move outside the access router, because intended to be VPN traffic network is not directly connected to leave the router. However, I can ping the hosts directly connected to the router for access through the VPN.
Something done routing not to work, I don't think the NATing, because I tried to remove the NAT and I couldn't follow all outgoing packets that must be sent, so I suspect this feature is not included in the IOS of the range of routers Cisco 8xx.
I'm that extends the features VPN + NAT + routing too, or is there a configuration error in my setup?
This is the configuration on the router from Cisco 8xx (I provided only the VPN endpoint, as the works of VPN endpoint)
VPN endpoints: 10.20.1.2 and 10.10.1.2
routing to 192.168.2.0 is necessary to 192.168.1.2 to 192.168.1.254
From 172.31.0.x to 192.168.1.x
!
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname INSIDEVPN
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxx
!
No aaa new-model
!
!
dot11 syslog
no ip cef
!
!
!
!
IP domain name xxxx.xxxx
!
Authenticated MultiLink bundle-name Panel
!
!
username root password 7 xxxxxxxxxxxxxx
!
!
crypto ISAKMP policy 10
BA 3des
preshared authentication
ISAKMP crypto key address 10.20.1.2 xxxxxxxxxxxxx
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac VPN-TRANSFORMATIONS
!
CRYPTOMAP 10 ipsec-isakmp crypto map
defined by peer 10.20.1.2
game of transformation-VPN-TRANSFORMATIONS
match address 100
!
Archives
The config log
hidekeys
!
!
LAN controller 0
line-run cpe
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
Shutdown
!
interface FastEthernet0
switchport access vlan 12
No cdp enable
card crypto CRYPTOMAP
!
interface FastEthernet1
switchport access vlan 2
No cdp enable
!
interface FastEthernet2
switchport access vlan 2
No cdp enable
!
interface FastEthernet3
switchport access vlan 2
No cdp enable
!
interface Vlan1
no ip address
!
interface Vlan2
IP 192.168.1.1 255.255.255.248
NAT outside IP
IP virtual-reassembly
!
interface Vlan12
10.10.1.2 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
card crypto CRYPTOMAP
!
IP forward-Protocol ND
IP route 192.168.2.0 255.255.255.0 192.168.1.254
IP route 10.20.0.0 255.255.0.0 10.10.1.254
Route IP 172.31.0.0 255.255.0.0 Vlan12
!
!
no ip address of the http server
no ip http secure server
IP nat inside source static 172.31.0.2 192.168.1.11
IP nat inside source 172.31.0.3 static 192.168.1.12
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.255.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 172.31.0.0 0.0.255.255
!
!
control plan
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
password 7 xxxxxxxxx
opening of session
!
max-task-time 5000 Planner
end
Hi Jürgen,
First of all, when I went through your config, I saw these lines,
!
interface Vlan2
IP 192.168.1.1 255.255.255.248
!
!
IP route 192.168.2.0 255.255.255.0 192.168.1.254
!
With 255.255.255.248 192.168.1.1 and 192.168.1.254 subnet will fall to different subnets. So I don't think you can join 192.168.2.0/24 subnet to the local router at this point. I think you should fix that first.
Maybe have 192.168.1.2 255.255.255. 248 on the router connected (instead of 192.168.1.254)
Once this has been done. We will have to look at routing.
You are 172.31.0.2-> 192.168.1.11 natting
Now, in order for that to work, make sure that a source addresses (192.168.1.11) NAT is outside the subnet router to router connected (if you go with 192.168.1.0/29 subnet router to router, with 192.168.1.1/29 on the local router and 192.168.1.2/29 on the connected router as suggested, it will be fine). So in this case 192.168.1.8/29 to the subnet that your NAT would be sources fall.
Have a static route on the router connected (192.168.1.2) for the network 192.168.1.8/29 pointing 192.168.1.1,
!
IP route 192.168.1.8 255.255.255.248 192.168.1.1
!
If return packets will be correctly routed toward our local router.
If you have an interface on the connected rotuer which includes the NAT would be source address range, let's say 192.168.1.254/24, even if you do your packages reach somehow 192.168.2.0/24, the package return never goes to the local router (192.168.1.1) because the connected router sees it as a connected subnet, so it will only expire
I hope I understood your scenario. Pleae make changes and let me know how you went with it.
Also, please don't forget to rate this post so useful.
Shamal
-
Need help to configure VPN NAT traffic to ip address external pool ASA
Hello
I need to configure vpn NAT ip address traffic external pool ASA
For example.
Apart from the ip address is 1.1.1.10
VPN traffic must be nat to 1.1.1.11
If I try to configure policy nat or static nat ASA gives me error "global address of overlap with mask.
Please, help me to solve this problem.
Thank you best regards &,.
Ramanantsoa
Thank you, and since you are just 1 IP 1.1.1.11 Polo, the traffic can only be initiated from your site to the remote end.
Here is the configuration of NAT:
access list nat - vpn ip 192.168.1.0 allow 255.255.255.0 10.0.0.0 255.255.0.0
NAT (inside) 5 access list nat - vpn
Overall 5 1.1.1.11 (outside)
In addition, the ACL crypto for the tunnel from site to site should be as follows:
access-list allow 1.1.1.11 ip host 10.0.0.0 255.255.0.0
Hope that helps.
-
Vuze download is very slow... He pointed out that I have a nat problem
nat problem?
Vuze download is very slow... He pointed out that I have a nat problem... Help please.?
Hello
· What browser do you use to access the internet?
· What is the full error message that you receive?
· Is it only when you download on Vuze?
I suggest that temporarily disable you antivirus software and firewall installed on your computer and check to see if it helps:
Disable the anti-virus software
http://Windows.Microsoft.com/en-us/Windows-Vista/disable-antivirus-software
Enable or disable Windows Firewall
http://Windows.Microsoft.com/en-us/Windows-Vista/turn-Windows-Firewall-on-or-offNote: disabling anti-virus or Windows Firewall can make your computer (and your network, if you have one) more vulnerable to damage caused by worms or hackers.
You can also post your query on Vuze forum to get help:
-
Hello
is it possible to install?
I have a pc and I want to connect to the Remote LAN.
PC (using vpn client) - vpn (internet)---> ROUTER1 - a vpn (MPLS network)---> ROUTER2---> SERVER site
How can I connect to a remote server? Is there an easy way?
I did the configuration of the vpn client (I can connect ROUTER1 and access a LAN via vpn with 192.168.1.x), but I can't connect to the server, even if I set the subnet (192.168.1.x) under the access list of site to site vpn (access list for traffic that must pass between ROUTER1 and ROUTER2).
Please advise! Thanks in advance.
Looks like I've not well explained.
On ROUTER1
===================
1 ACL VNC_acl is used to split tunnel, so you should include IP server_NET it NOT vpn IP pool.
2 ACL najavorbel is used to set the lan lan traffic between ROUTER1 and ROUTER2, 2 you should inlcude
IP 192.168.133.0 allow 0.0.0.255 0.0.0.255
You must change the crypto ROUTER2 ACL of the minor or the najavorbel of the ACL
The other way to is to the client VPN NAT IP to a local area network lan IP ROUTER1, in this way, you don't need any changes on ROUTER2. But I have to take a look at your configuration to make the suggestion.
-
Networks VPN NAT l2l problem-Dup-HELP!
I use a router IOS as a VPN L2L device to connect my site to several different customer locations, some of them use the same internal IP addresses. These VPNS have been working well.
I recently added another client to this system and I am now having a problem with the new configuration. With this configuration, I have NAT my internal addresses. NAT works correctly, but it NAT my bad common NAT addresses and therefore do not generate the tunnel.
My internal IP 10.10.x.x
incorrect NAT pool 10.129.x.x
decent NAT pool 10.99.x.x
Help... :))
Thank you
The problem is simple. You have almost an identical ACL for two guests. As the first NAT rule has been added previously, it comes into play. To resolve this issue, you must set explicit host/subnet destination match instead of 'none' keyword.
For example like this:
ip access-list extended ME-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 10.10.131.63
ip access-list extended ME-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63
ip access-list extended SA-CRYPTO-ACL
permit ip 10.96.21.0 0.0.0.255 host 10.99.2.95
ip access-list extended SA-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.99.2.95
Another solution is more complex and harder to understand (and explain), you can use Virtual models with tunnel-protection for each customer, VRF and NAT for common services.
___
HTH. Please rate this post if this has been helpful. If it solves your problem, please mark this message as "right answer".
-
IPSEC VPN from Site to Site - NAT problem with address management
Hi all
I have two Cisco ASA 5505 performing of IPSEC Site to Site VPN. All traffic inside each firewall through the VPN tunnel and I have full connectivity. From site A, I can connect to the inside address of the ASA at the site B and launch of the ASDM or SSH, etc.
The problem I have is when I'm logged on the ASA site B management traffic is given the external address. I created this as interesting traffic to get it to go through the VPN but I need to use the inside address of ASA B. The following is possible:
- If I can make the ASA Site B to use inside interface as its address management (I already have management access to the inside Interface)
- I have NAT can address external interfaces to Site B before moving through the VPN tunnel management traffic so that it appears to come from Site B inside the address
- I can NAT VPN traffic as it appears in the Site A for management traffic to Site B on the right address.
The problem is that my PRACTICE Please also come from this address and I need the application before being on an internal address to even if my CA.
Thanks for any help.
Ian
Thanks, I understand what you are trying to achieve now.
However, I think that I don't have good news for you. Unfortunately PEIE request can be initiated of the SAA within the interface, as there is no option to start the query from the inside interface. With other features of management such as AAA, logging, you have an option to specify what ASA desired originally to demand from interface, but CEP doesn't have this option.
Here's how you can configure under the trustpoint crypto, but unfortunately by specifying the interface doesn't not part of option:
http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/C5.html#wp2262210
-
NAT, stop communication OSX VPN configuration problem.
Hello
It is my first time posting in this forum. I have trouble getting Mac computers (my test is OSX 10.8.2) to correctly connect the VPN to the company. We have a Cisco ASA5510, who manages the VPN applications. Here are some details:
-Windows computers, Cisco VPN Client (not Anyconnect) are able to connect to the VPN and access internal/etc file server computers, just as we want to.
-Mac can establish a VPN connection, but cannot communicate with servers or internal machines. I can't connect to or ping the file server by using its IP address. Also, I can't ping my personal work computer.
-BUT, from my work computer I CAN ping the ip address of the Mac he receives after connecting via VPN. Thus, internal Windows PC can ping external VPN would be Mac, but Mac cannot ping inner Windows pc.
ASDM using I was able to run Packet Tracer. I got trace a ping of the machine address Windows 192.168.0.52 23 to address the 192.168.5.33/24 Mac VPN. This succeeded.
The use of Packet Tracer to trace a ping the address VPN for Mac 192.168.5.33/24 to 192.168.0.52 Windows address 23 is not successful. The package goes through the following phases: 'Capture', 'Access-list', 'looking for route', 'Access-List', 'Options IP', 'Inspect', 'Inspect', 'Debug ICMP","Free of NAT", until it reaches"NAT"where I get this message:
Menu - NAT Action - type
Config
NAT (inside1) 1 0.0.0.0 0.0.0.0
match ip inside1 all inside1 all
dynamic translation of hen 1 (192.168.1.1 [Interface PAT])
translate_hits = 913403, untranslate_hits = 27
The result is that the package is abandoned.
Info: flow (acl-drop) is denied by the configured rule
I'm not super familiar with ACL or NAT configuration, so I do not know what changes I need to do to make this work correctly. I find as strange as the windows pc using the customer Cisco have no problem to communicate internally after the connection, but do not have a Mac Mac built-in Cisco IPSEC VPN.
Any help would be greatly appreciated.
-Jean-Claude
P.s. I have included a screenshot of the screen of Packet Tracer.
Is your home wireless network was in the 192.168.1.0/24 subnet? If this is the case, try to change to a different subnet as you suggested earlier and see if it works.
-
I've recently updated to 8.3.2 and I have been informed of these NAT changes, but even after reading the https://supportforums.cisco.com/docs/DOC-12569 I am still unable to rectify the communication network 192.168.100.0 VPN with hosts on 172.16.1.0 and 172.16.9.0. VPN clients connect to the external interface, and I try to ping inside and the demilitarized zone, respectable 172.16.1.0 and 172.16.9.0 hosts. VPN client shows that the two previously mentioned networks such as roads of security, but still not to the ping pong.
# sh nat
Manual NAT policies (Section 1)
1 (inside) to the (whole) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
2 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
3 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0
translate_hits = 0, untranslate_hits = 0
4 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
5 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0
translate_hits = 0, untranslate_hits = 0
Auto NAT policies (Section 2)
1 (dmz), to the source (external) static obj - 172.16.9.5 interface tcp www www service
translate_hits = 0, untranslate_hits = 142
2 (dmz) (outdoor) source static obj - 172.16.9.5 - 01 interface service tcp 3389 3389
translate_hits = 0, untranslate_hits = 2
3 (dmz) (outdoor) source static obj - 172.16.9.5 - 02 interface tcp ldap ldap service
translate_hits = 0, untranslate_hits = 0
4 (dmz) (outdoor) source static obj interface - 172.16.9.5 - 03 service ftp ftp tcp
translate_hits = 0, untranslate_hits = 0
5 (dmz) to (outside) of the source static obj - 172.16.9.5 - 04 interface tcp smtp smtp service
translate_hits = 0, untranslate_hits = 267
6 (inside) source static obj - 172.16.9.0 172.16.9.0 (dmz)
translate_hits = 4070, untranslate_hits = 224
7 (inside) to (dmz) source static obj - 10.1.0.0 10.1.0.0
translate_hits = 0, untranslate_hits = 0
8 (inside) to (dmz) source static obj - 172.16.0.0 172.16.0.0
translate_hits = 152, untranslate_hits = 4082
9 (dmz) to dynamic interface of the obj - 172.16.9.0 - 01 source (outdoor)
translate_hits = 69, untranslate_hits = 0
10 (inside) to the obj_any interface dynamic source (external)
translate_hits = 196, untranslate_hits = 32
I think you must following two NAT config
NAT (inside, outside) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 192.168.100.0 obj - 192.168.100.0
NAT (dmz, external) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 192.168.100.0 obj - 192.168.100.0Please configure them and remove any additional NAT configuration and then try again.
-
Client VPN connectivity problems
I use the cisco VPN client to connect to our network, located behind a 515E. The client is authenticated and gets an ip address but cannot ping or connect with one of the hosts. The connection is to a network of customers that is also behind a 515E. I have successfully connected using the same policy to other places and have had no problem. What confuses me, is that we have used to have a Netscreen firewall before and he had a netscreen vpn client which connected since their network with a problem. Is that something they need for their firewall so that we can get through the traffic?
Try to turn on NAT - T on your pix, by setting up:
ISAKMP nat-traversal 20
and configure the client vpn accordingly:
http://www.Cisco.com/warp/public/471/cvpn_3k_nat.html#conf_client
I think these discussions are useful:
-
VPN Tunnel problem. external interface has private IP
Hi all
I don't know if it is wired or not!
When our ISP provide us an Internet connection our real IP is configured on the ethernet interface, while the serial interfaces have a private IP address.
The problem here is when I'm trying to configure a VPN tunnel to another router.
Anything in the configuration is smooth, except for the part where I put the serial interface is my outside.
The tunnel is still low coz the IP address will be my private (serial interface) during the configuration on the router counterpart is my public IP address.
So I am woundering is there a way I can force the VPN tunnel to take the IP address configured on the side LAN? Or any other work around?
Building configuration...
Current configuration: 2372 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
boot-start-marker
start the flash c1841-advsecurityk9 - mz.124 - 23.bin system
boot-end-marker
!
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA 3des
md5 hash
preshared authentication
Group 2
isakmp encryption key * address 144.254.x.y
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to144.254.x.y
the value of 144.254.x.y peer
game of transformation-ESP-3DES-SHA
match address VPN_Traffic
!
!
!
interface FastEthernet0/0
address IP 10.55.218.1 255.255.255.0 secondary (My internal subnet)
IP address 196.219.a.b 255.255.255.224 (my public IP)
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
No keepalive
!
interface FastEthernet0/1
no ip address
automatic duplex
automatic speed
!
interface Serial0/0/0
no ip address
frame relay IETF encapsulation
frame-relay lmi-type q933a
!
point-to-point interface Serial0/0/0.16
IP 172.16.133.2 255.255.255.252
NAT outside IP
IP virtual-reassembly
SNMP trap-the link status
dlci 16 frame relay interface
map SDM_CMAP_1 crypto
!
interface Serial0/0/1
no ip address
frame relay IETF encapsulation
ignore the dcd
frame-relay lmi-type q933a
!
point-to-point interface Serial0/0/1.16
IP 172.16.134.2 255.255.255.252
NAT outside IP
IP virtual-reassembly
SNMP trap-the link status
dlci 16 frame relay interface
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Serial0/0/1.16
IP route 0.0.0.0 0.0.0.0 Serial0/0/0.16
!
VPN_Traffic extended IP access list
Note Protect traffic Local to any Destination subnet
Remark SDM_ACL = 4 category
IP 10.55.218.0 allow 0.0.0.255 any
!
Scheduler allocate 20000 1000
end
This should do the trick.
map SDM_CMAP_1 crypto local-address FastEthernet0/0
See you soon
Maybe you are looking for
-
my iPhone 6 more airpiece is too low despite being at maximum volume
-
update of the elements of custer in an effective way
Hello I have a group of 20 digital items. The problem, the user clicks on the items 1 and updates the value, element 1 runs continuously. Now the user wants to update the item 2 but item 1 does not stop and also element 2 should run continuously as p
-
error on the stand-alone with Subvi application
I developed a VI that call a Subvi with Labview 8.6. It works fine in VI or in an executable file on my development computer. I want to run it on another PC, so I have created an installer with the following additional installer: -4.4 NI-VISA run tim
-
Hello! I'm learning module 9211 and I used the start-up 9211-example and it worked but readings had been arrested with two degrees. Then I found this: http://digital.ni.com/public.nsf/allkb/AAEC7BF96A019EFB862570E4006D9204 I downloaded the file, repl
-
Re: Error internal Codes 2502 and 2503 for installing steam on Windows 8
I installed Windows 8 and tried to install Steam from Valve but didn't these internal error codes 2502 and 2503 pop up. Does anyone know how to fix this? Thank you.