vpn NATting traffic

I have my vpn set up exactly as I need. Users can connect to the vpn and get an IP of 172.16.17.0/24. These users can access then machines hidden behind the asa on the private interface 172.16.16.1/24. Users on the 172.16.16.1 interface can also access any machine not on the private through the router using nat interface. What I can not understand how is allowing vpn also users to access any machine not on the private via NAT on the router interface. Help would be appreciated.

See the road from ciscoasa #.
Gateway of last resort is a.b.c.1 to network 0.0.0.0

C 172.16.16.0 255.255.254.0 is directly connected, igbprivate
S 172.16.17.20 255.255.255.255 [1/0] via a.b.c.189, igbpublic
C 255.255.252.0 a.b.c.0 is directly connected, igbpublic
C 192.168.1.0 255.255.255.0 is directly connected, management
S * 0.0.0.0 0.0.0.0 [1/0] via ak.b.c.124.1, igbpublic

access list

access list 101 line 1 permit extended ip 172.16.16.0 255.255.255.0 172.16.17.0 255.255.255.0

in the running-config nat statements

interface of global (igbpublic) 1
NAT (igbprivate) 0-access list 101
NAT (igbprivate) 1 0.0.0.0 0.0.0.0

If your VPN users connect on the side of the SAA Public then I still think Hairpining is what you should look into. It is very similar to my problem in which I want to VPN users to access internet through VPN. Packets from the VPN users must enter the public interface and return directly. I hope I understand this.

Tags: Cisco Security

Similar Questions

Need help to configure VPN NAT traffic to ip address external pool ASA

Hello

I need to configure vpn NAT ip address traffic external pool ASA

For example.

Apart from the ip address is 1.1.1.10

VPN traffic must be nat to 1.1.1.11

If I try to configure policy nat or static nat ASA gives me error "global address of overlap with mask.

Please, help me to solve this problem.

Thank you best regards &,.

Ramanantsoa

Thank you, and since you are just 1 IP 1.1.1.11 Polo, the traffic can only be initiated from your site to the remote end.

Here is the configuration of NAT:

access list nat - vpn ip 192.168.1.0 allow 255.255.255.0 10.0.0.0 255.255.0.0

NAT (inside) 5 access list nat - vpn

Overall 5 1.1.1.11 (outside)

In addition, the ACL crypto for the tunnel from site to site should be as follows:

access-list allow 1.1.1.11 ip host 10.0.0.0 255.255.0.0

Hope that helps.

After VPN NAT

Hello

I have the following problem and can't seem to find a solution.

I have 2 routers Cisco, A and B with a VPN connection. Two routers have a serial number

interface pointing outside and an ethernet interface (allows to call the A and B)

pointing to the inside.

Traffic between Subnet A and B is NOT coordinated and VPN works great.

Now router B has a second ethernet (C), subnet C interface.

I added this subnet to the IPSEC ACLS on both routers as I want to allow A subnet

access subnet C via the VPN.

The tunnel is running with no NAT is done.

However, the B, B and C subnet access router is using a NAT:

Interface B

IP nat inside

!

The C interface

NAT outside IP

!

IP nat inside source overload map route NAT interface C

!

route NAT allowed 10 map

corresponds to the IP 123

!

access-list 123 allow ip SUBNET_B SUBNET_C

So far so good. Now the problem:

How can I NAT traffic from subnet to subnet A C?

I tried to add

access-list 123 allow ip SUBNET_A SUBNET_C

but it does not help that the outbound VPN seems to not be affected by the

NAT rule, probably because it is not considered as coming from an interface with ip nat «»

inside. "

Is there a way to do this without using the tunnel interfaces?

Thanks in advance,

If I understand you correctly, you want traffic from subnet A reach router B, deciphering, NATted interface B and thten routed to interface C.

Please correct me if I'm wrong.

You can use ACB (routing based on the policy) for this.

Create an ACL to identify traffic:

access-list 101 permit ip subnet A subnet C

Create a loop:

Loopback int 1

IP 1.1.1.1 255.255.255.252

IP nat inside

output

Create a road map to route traffic after its decrypted.

pol_nat allowed 10 route map

corresponds to the IP 101

set ip next-hop 1.1.1.2

output

Apply the road map to your WAN interface:

int 0 series

IP policy route map pol_nat

output

In this way, traffic is first decrypted and is routed to the loopback, which has a 'ip nat inside' applied, then it will be routed to the subnet C after being natted with your NAT rule.

* Please rate if this can help.

-Kanishka

VPN / Natting issue - connectivity to 3rd Party Partner Site

Hello

I received a request to provide a connectivity solution between our private server 10.102.x.y and a3rd advantage partner server. 10.247.x.y solution of VPN site to site. I want to hide our real IP of 10.102.x.y and replace 10.160.x.y (using Natting).

The configuration is the following:

3rd party partner server->	3rd party ASA FW->	Tunnel VPN IPSec Internet->	Our ASA FW->	Our server private
10.247.x.y				10.102.x.y private IP NAT'd IP10.160.xy

3rd party partner server->

3rd party ASA FW->

Tunnel VPN IPSec Internet->

Our ASA FW->

Our server private

10.247.x.y

10.102.x.y private IP

NAT'd IP10.160.xy

My dogs entered so far (still awaiting 3rd party to set up their ASA)

name 10.160.x.y OurNat'dServer

crypto ISAKMP policy 6
preshared authentication
aes-256 encryption
sha hash
Group 5
lifetime 28800

Crypto ipsec transform-set 3rd Party esp-aes-256 esp-sha-hmac

3rd party ip host 10.160.x.y host 10.247.x.y allowed extended access list

tunnel-group 80.x.x.x type ipsec-l2l
80.x.x.x group of tunnel ipsec-attributes
pre-shared key xxxxxxxxx

football match 117 card crypto vpnmap address 3rd party

card crypto vpnmap 117 counterpart set 80.x.x.x

card crypto vpnmap 117 the transform-set 3rd Party value

public static 10.160.x.y (Interior, exterior) 10.102.x.y netmask 255.255.255.255

The config goes to meet my requirements and the solution envisaged, or is my inaccurate understanding?

Any help on this would be appreciated.

Thanks in advance,

Select this option.

Hello

Who will break actually internet traffic with this server because the external address that is sent over the internet is considered to be a 10.160.x.y. In the past, I did something like this:

public static 10.160.x.y (Interior, exterior), list-dest-3rdParty access policy

policy-dest-3rdParty of the ip host 10.102.x.y host 10.247.x.y allowed extended access list

Who will ONLY perform NAT traffic on this server if traffic is coming from the 10.247.x.y.

Site to Site VPN of IOS - impossible route after VPN + NAT

Hello

I have problems with a VPN on 2 routers access 8xx: I am trying to set up a quick and dirty VPN Site to Site with a source NAT VPN tunnel endpoint. This configuration is only intended to run from one day only inter. I managed to do the work of VPN and I traced the translations of NAT VPN tunnel endpoint, but I couldn't make these translated packages which must move outside the access router, because intended to be VPN traffic network is not directly connected to leave the router. However, I can ping the hosts directly connected to the router for access through the VPN.

Something done routing not to work, I don't think the NATing, because I tried to remove the NAT and I couldn't follow all outgoing packets that must be sent, so I suspect this feature is not included in the IOS of the range of routers Cisco 8xx.

I'm that extends the features VPN + NAT + routing too, or is there a configuration error in my setup?

This is the configuration on the router from Cisco 8xx (I provided only the VPN endpoint, as the works of VPN endpoint)

VPN endpoints: 10.20.1.2 and 10.10.1.2

routing to 192.168.2.0 is necessary to 192.168.1.2 to 192.168.1.254

From 172.31.0.x to 192.168.1.x

!

version 12.4

no service button

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

hostname INSIDEVPN

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxxxxxxxxxxx

!

No aaa new-model

!

!

dot11 syslog

no ip cef

!

!

!

!

IP domain name xxxx.xxxx

!

Authenticated MultiLink bundle-name Panel

!

!

username root password 7 xxxxxxxxxxxxxx

!

!

crypto ISAKMP policy 10

BA 3des

preshared authentication

ISAKMP crypto key address 10.20.1.2 xxxxxxxxxxxxx

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac VPN-TRANSFORMATIONS

!

CRYPTOMAP 10 ipsec-isakmp crypto map

defined by peer 10.20.1.2

game of transformation-VPN-TRANSFORMATIONS

match address 100

!

Archives

The config log

hidekeys

!

!

LAN controller 0

line-run cpe

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

Shutdown

!

interface FastEthernet0

switchport access vlan 12

No cdp enable

card crypto CRYPTOMAP

!

interface FastEthernet1

switchport access vlan 2

No cdp enable

!

interface FastEthernet2

switchport access vlan 2

No cdp enable

!

interface FastEthernet3

switchport access vlan 2

No cdp enable

!

interface Vlan1

no ip address

!

interface Vlan2

IP 192.168.1.1 255.255.255.248

NAT outside IP

IP virtual-reassembly

!

interface Vlan12

10.10.1.2 IP address 255.255.255.0

IP nat inside

IP virtual-reassembly

card crypto CRYPTOMAP

!

IP forward-Protocol ND

IP route 192.168.2.0 255.255.255.0 192.168.1.254

IP route 10.20.0.0 255.255.0.0 10.10.1.254

Route IP 172.31.0.0 255.255.0.0 Vlan12

!

!

no ip address of the http server

no ip http secure server

IP nat inside source static 172.31.0.2 192.168.1.11

IP nat inside source 172.31.0.3 static 192.168.1.12

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.255.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 172.31.0.0 0.0.255.255

!

!

control plan

!

!

Line con 0

no activation of the modem

line to 0

line vty 0 4

password 7 xxxxxxxxx

opening of session

!

max-task-time 5000 Planner

end

Hi Jürgen,

First of all, when I went through your config, I saw these lines,

!

interface Vlan2

IP 192.168.1.1 255.255.255.248

!

!

IP route 192.168.2.0 255.255.255.0 192.168.1.254

!

With 255.255.255.248 192.168.1.1 and 192.168.1.254 subnet will fall to different subnets. So I don't think you can join 192.168.2.0/24 subnet to the local router at this point. I think you should fix that first.

Maybe have 192.168.1.2 255.255.255. 248 on the router connected (instead of 192.168.1.254)

Once this has been done. We will have to look at routing.

You are 172.31.0.2-> 192.168.1.11 natting

Now, in order for that to work, make sure that a source addresses (192.168.1.11) NAT is outside the subnet router to router connected (if you go with 192.168.1.0/29 subnet router to router, with 192.168.1.1/29 on the local router and 192.168.1.2/29 on the connected router as suggested, it will be fine). So in this case 192.168.1.8/29 to the subnet that your NAT would be sources fall.

Have a static route on the router connected (192.168.1.2) for the network 192.168.1.8/29 pointing 192.168.1.1,

!

IP route 192.168.1.8 255.255.255.248 192.168.1.1

!

If return packets will be correctly routed toward our local router.

If you have an interface on the connected rotuer which includes the NAT would be source address range, let's say 192.168.1.254/24, even if you do your packages reach somehow 192.168.2.0/24, the package return never goes to the local router (192.168.1.1) because the connected router sees it as a connected subnet, so it will only expire

I hope I understood your scenario. Pleae make changes and let me know how you went with it.

Also, please don't forget to rate this post so useful.

Shamal

NAT traffic on tunneling IPSec (ISR)

Hello.

I assumed that I have configure IPSec tunnel between a kind of 1811 and some checkpoint firewall. The IPSec part isen t that big of a deal, but system on the absence of "Side CheckPoint" traffic manager if the tunnel must be from a public IP address and the only source of IP address.

So, let's say that my ISP gave me 10.10.1.1 - 10.10.1.5, our clients Interior have an IP address of 192.168.10.0/24 range and the remote application in the site "Checkpoint" is the IP address of 172.16.1.10. The result should be:

IPSec tunnel is created by using the IP address 10.10.1.1 .

Traffic of 192.168.1.0/24 customers should access the application to the address 172.16.1.10 using as a source above the IPSec tunnel address 10.10.1.2 .

Is this possible? I guess that would mean I have NAT traffic goes, however, the IPSec tunnel, but I'm unable to get this to work. I googled all day long looking for something similar.

Anyone who could enlighten us? Any ideas appreciated.

Sheers!

/ Johan Christensson

Yes, it is possible. That you should get what you need. Let us know if it works or not.

extended policy-NAT IP access list

ip permit 192.168.1.0 0.0.0.255 host 172.16.1.10

nat pool IP LAN-Checkpoint 10.10.1.2 10.10.1.2 netmask 255.255.255.0

IP nat inside source list policy-NAT pool LAN-point of overload control

PIX of Concentrator VPN tunnel, can I NAT traffic before the tunnel?

I have a tunnel IPSEC of PIX-to-VPNConcentrator.

I have a localhost on my PIX inside interface with the IP 192.168.5.5 but the site on the end of the tunnel VPNConcentrator wants to see the IP 192.168.77.9 (because they use the 192.168.5.x network to an end for another use)

I know how things NAT from inside out, but I never have NAT - ed before traffic tunnel.

Can I NAT a local inside IP address BEFORE traffic hits the tunnel?

Yes, it is possible. Please see the below URL for the configuration details:

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800949f1.shtml

Kind regards

Arul

VPN - NAT Exemption?

Hi all

Just a mental block, I feel at the moment.

ASA 5585 code 9.0.x race - there is no NAT configuration at all on the box. This ASA firewall will end a site to site VPN. -

My question is - is a rule of "NAT exemption" required... .similar to the crypto ACL for the traffic in the tunnel... .or is NAT exemption required only when NAT is configured.

My apologies if this is a silly question

Thank you

James

When there is no NAT config, the ASA will pass all traffic not translated, which includes the traffic tunnel. If you're right, you don't need any NAT exemption.

However, you can configure it. For example, if you plan to add NAT at a later stage, then it might be easier to implement than NAT if your NAT exemption is already in place.

Internet through a RA IPSec VPN Tunnel traffic

Armed with an ASA 5505 Security Plus, I configure IPSec VPN for RA the VPN IP address pool is in the 192.168.2.0/28 network.

The Lan is 192.168.1.0/24 with inside interface a.254.

The VPN works great. What I would do is to route all internet through the firewall traffic when users are connected to the VPN. I put this gateway 192.168.1.254 tunnel, but I'm having no luck to get it works.

Any ideas?

Thanks in advance!

You are just going to route internet traffic to the remote vpn client to the ASA and backward on the Internet?

If the above statement is correct, you need not configure the tunnel default gateway.

But you need to configure NAT for the ip pool, so they can go to the internet, as well as the 'same-security-movement' command as follows:

NAT (outside) 1 192.168.2.0 255.255.255.0

permit same-security-traffic intra-interface

In addition, assuming that you have not have split configured tunnel.

Site to Site VPN NAT conflicts

I have a site to site vpn between my main office and an office. Traffic between flow correctly with the exception of some protocols. My main router has static NAT configured for port 25 and a few others. For each of these protocols that have a static nat, I can't send the traffic from my office to the IP in the static nat

either I can't access port 25 on 172.16.1.1 of my office of the branch of the 172.17.1.1, but I have remote desktop access

It's like my list of NAT is excluding the static entries that follow. I have posted below the configs. Any help would be appreciated.

Main office: 2811

Branch: 1841

Two routers connected to the internet. VPN site to Site between them with the following config

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

isakmp encryption key * address *. ***. * *.116

!

!

Crypto ipsec transform-set esp-3des esp-md5-hmac VPN - TS

!

map VPN-map 10 ipsec-isakmp crypto

set peer *. ***. * *.116

game of transformation-VPN-TS

match address VPN-TRAFFIC

I have two IP addresses on the router principal.122 et.123

There is an installer from the list of the deny on the two routers - that's the main:

overload of IP nat inside source list 100 interface FastEthernet0/0

access-list 100 remark = [Service NAT] =-

access-list 100 deny ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255

access-list 100 permit ip 172.16.0.0 0.0.255.255 everything

access-list 100 permit ip 172.24.0.0 0.0.255.255 everything

To serve clients vpn no internet, the following nat is configured to send e-mail to exchamge

IP nat inside source static tcp 172.16.1.1 25 *. ***. * expandable 25 *.122

Try to use the nat policy to exclude traffic from your servers to be natted when switching to the branch office network.

Sth like this

STATIC_NAT extended IP access list

deny ip 172.16.1.1 host 172.17.1.0 255.255.255.0 aka nat0 for traffic from the server

allow the ip 172.16.1.1 host a

policy-NAT route map

corresponds to the IP STATIC_NAT

IP nat inside source static tcp 172.16.1.1 25 *. ***. 25-card *.122 of extensible policy-NAT route

ASA VPN (NAT problem)?

Hi people, I was hoping sopmeone on these forums might be able to help. I have some problem with a config for our ASA5510, functioning 8.2 (1)

I installed a VPN tunnel a firewall to vyatta off-site. The tunnel is up.

ABN-FW3-CISCO ASA5510 # show crypto ipsec his
Interface: outside
Tag crypto map: VPN_Zettagrid_Map, seq num: 10, local addr: 116.212.X.X
VPN_cryptomap list access ip 192.9.0.0 255.255.0.0 allow 192.168.11.0 255.255.255.0
local ident (addr, mask, prot, port): (192.9.0.0/255.255.0.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.11.0/255.255.255.0/0/0)
current_peer: 119.252.X.X
#pkts program: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 16, #pkts decrypt: 16, #pkts check: 16
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 14, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 116.212.X.X, remote Start crypto. : 119.252.X.X
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 670F3BF5

Now I can pass information of the 119.252.X.X to our internal networks (192.9.0.0/16) vyatta (yes I know this is a wide audience, but it comes to the environment, I inherited, I'm running with a project to put private network addresses, but its not finished quite yet)

The problem seems to be information of ASA to the internal network behind the vyatta - 192.168.11.0/24.

When I check my syslog I get the following error: (this example has been a connection attempt mstsc)
: Inbound TCP connection deny from 192.9.216.190/60660 to 192.168.11.101/3389 SYN flags on the interface inside

Now Im guessing this SYN message means that the ASA trying to NAT my outgoing packets... which is strange because I have configured a rule sheep. But when I do a show nat is the result:

ABN-FW3-CISCO ASA5510 # display nat inside
is the intellectual property inside 192.9.0.0 outside 192.168.11.0 255.255.0.0 255.255.255.0
Exempt from NAT
translate_hits = 0, untranslate_hits = 37 (this value does not change)

Here is my config for NAT

Inside_nat0_outbound to access extended list ip 192.9.0.0 255.255.0.0 allow 192.168.11.0 255.255.255.0
Inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.255.255.0 192.168.11.0 255.255.255.0
Access extensive list ip 192.10.201.0 Inside_nat0_outbound allow 255.255.255.0 192.168.11.0 255.255.255.0

(I have a separate ACL for interesting traffic)

VPN_cryptomap to access extended list ip 192.9.0.0 255.255.0.0 allow 192.168.11.0 255.255.255.0

VPN_cryptomap to access ip 10.0.0.0 scope list allow 255.0.0.0 192.168.11.0 255.255.255.0

Access extensive list ip 192.10.201.0 VPN_cryptomap allow 255.255.255.0 192.168.11.0 255.255.255.0

Global 1 interface (outside)
NAT (inside) 0-list of access Inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (dmz) 1 172.30.3.0 255.255.255.0
NAT (management) 1 192.10.201.0 255.255.255.0
NAT (dmz2) 1 172.30.2.0 255.255.255.0
static (inside, dmz) 192.9.0.0 192.9.0.0 255.255.0.0 subnet mask

Im guessing that one of these rules is in conflict? Does nat (inside) 0 Inside_nat0_outbound access list take precedence over the nat (inside) 1 0.0.0.0 0.0.0.0?

I can post more if necessary config, any help at this point would be much appreciated

Hmm looks like you establish 192.168.11.0 who seems to be blocked by the ACL on the traffic of 192.9.0.0 inside the interface.

Please paste config ACL or see if that blocks this traffic.

Thank you

Ajay

Configuration VPN - NAT - T support

Hello

A partner of business (BP) has the following requirements. I don't know which statements of config I need to use to ensure this successful connection

Business (BP) needs partner complete the VPN tunnel on a firewall that is behind another firewall running NAT

(BP) will create UDP 500 and UDP 4500 endpoints on the NAT firewall which is forwarded to the Firewall VPN termination.

Because of this, the (BP) needs of my dissertation support encapsulation of ESP over UDP (NAT - T)

My series of ASA5500 using the code (825) has the statements

Crypto isakmp nat-traversal 21
crypto ISAKMP ipsec-over-tcp port 10000

VPN # match address BP_VPN crypto card
VPN # set peer (peer_ip) crypto card
VPN # game of transformation-AES_256_SHA crypto card

IPSec-l2l type tunnel-group (peer_ip)
IPSec-attributes of tunnel-group (peer_ip)
pre-shared key (TBD)

BP_VPN list extended access permit tcp host 10.x.x.x, 172.16.x.x eq (specified port) host
BP_VPN list extended access permit tcp host 10.x.x.y host 172.16.x.x eq (specified port)

NatExempt_VPN list extended access permit tcp host 10.x.x.x, 172.16.x.x eq (specified port) host
NatExempt_VPN list extended access permit tcp host 10.x.x.y host 172.16.x.x eq (specified port)

Please indicate whether these statements are sufficient and if not what else would be needed.

You need not order
```
crypto isakmp ipsec-over-tcp port 10000
```
It is for the exclusive implementation that was used before NAT - T is available. You only need to nat-traversal active. For your ACL, using ports in there makes everything complicated. You should see if you can just use 'ip' here. If there is already configured on your ASA virtual private networks, then the config is probably ok. If this isn't the case, you must always configure ISAKMP and activate the encryption on the interface card.

ASA L2L VPN NAT

We have a partner that we set up a VPN L2L with. Their internal host IP infringes on our internal IP range. Unfortunately, they are not offer NAT on their side. Is it possible on the SAA to configure a NAT device for my internal hosts will say 1.1.1.1 and ASA changes the internal address of the remote end overlapping?

If this is the scenario

192.168.5.0 ASA1 <---> <-- internet="" --="">ASA2<-->

ASA1 (NAT will be applied)

ASA2 (without nat will be applied)

You want to do something like that on ASA1

Change your source host or network to be 192.168.7.0 when communicating with the remote network. Change the remote network to come as long as 192.168.8.0 coming to your network on the SAA.

ACL soccer match:!-match-list ACLaccess acl_match_VPN ip 192.168.7.0 allow 255.255.255.0 192.168.5.0 255.255.255.0

! - NAT ACL

vpn_nat 192.168.5.0 ip access list allow 255.255.255.0 192.168.8.0 255.255.255.0

! - Translations

public static 192.168.7.0 (exterior, Interior) 192.168.5.0 netmask 255.255.255.0 0 0

static (inside, outside) 192.168.8.0 public - access policy-nat list

Complete the VPN configuration using acl_match_VPN as the ACL match. Your inside host will have to use the 192.168.7.0 network when you talk to the remote end.

I hope this helps.

VPN NAT help

I need to configure NAT on a VPN tunnel to accomplish the following. I already have the tunnel upward and running just need to confirm my NAT config.

ASA 8.2 Version running (5)

I only need to set up A

The internal subnet to site A is 172.30.6.0/24 and I need NAT this subnet to 172.31.183.0/24 when the destination subnet is 172.31.255.128/25

So here's what I thought.

Policy NAT 172.30.6.0/24 to 172.31.183.0/24 the translation when the destination is 172.31.255.128/25.

Public static 172.31.183.0 (inside, outside) - CBC-NAT-TRANSLATION access list

CBC-NAT-TRANSLATION scope ip 172.30.6.0 access list allow 255.255.255.0 172.31.255.128 255.255.255.128

Then I would need that

Public static 172.31.255.128 (exterior, Interior) 172.30.6.0 netmask 255.255.255.0

That sounds about right.

Thank you

Mike

Mike

As I said that I did not use a network with a static NAT strategy, so I don't know if the host part of the IP address matches the host Party in the range NAT if you see what I mean.

It could, but it cannot be a concern for you anyway. You would need to watch the xlate table once you make the connection to know for sure.

In addition, it means all devices in this subnet may send packets to each device in the remote subnet but once again can not be a cause for concern.

But apart from that, Yes, your config seems fine for me.

I try with the first beach and establish a connection and then if it works check the xlate dashboard to see exactly what IP he chose.

Jon

ASA 8.3 - SSL VPN - NAT problem

Need help to find how to configure anyconnect VPN with VPN client using a NAT networking internal.

There are many items on the side - how to disable NAT for vpn pool.

I need to create the gateway VPN to the complex international lnetwork, vpnpool is out of range of regular subnet of that network, so it's going to be questions witout NAT routing.

I so need to vpn clients connected to be PATed to . The problem is that there is also a dynamic to PAT rule for the ordinary acccess Iternet which translates as 'rules NAT asymmetry... "error.

Create two times different NAT rules and moving them on up/down makes no difference. There are also some hidden rules of vpn setup :-(that could not be seen.

V8.3 seems is destroying trust in Cisco firewall...

Thank you.

Stan,

Something like this works for me.

192.168.0.0/24---routeur--172.16.0.0/24 ASA-= cloud = host. (the tunnel he get IP address of 'over' pool, which is also connected to the inside)

BSNs-ASA5520-10 (config) # clear xlate
INFO: 762 xlates deleted
BSNs-ASA5520-10 (config) # sh run nat
NAT (inside, outside) static all of a destination SHARED SHARED static
!
NAT source auto after (indoor, outdoor) dynamic one interface
BSNs-ASA5520-10 (config) # sh run object network
network of the LOCAL_NETWORK object
192.168.0.0 subnet 255.255.255.0
The SHARED object network
172.16.0.0 subnet 255.255.255.0
BSNs-ASA5520-10 (config) # sh run ip local pool
IP local pool ALL 10.0.0.100 - 10.0.0.200
local IP ON 172.16.0.100 pool - 172.16.0.155
BSNs-ASA5520-10 (config) # sh run tunne
BSNs-ASA5520-10 (config) # sh run tunnel-group
attributes global-tunnel-group DefaultWEBVPNGroup
address pool ON

If I get your drift... bypass inside and outside is not really necessary on Cisco equipment as it should work straight out of the box via the proxy arp, but I'm not face or solution providers for remote access.

Marcin

vpn NATting traffic

Similar Questions

Maybe you are looking for