VPN overlapping NAT
Here is my config complete.
Here are a few notes
IP, obtained from the VPN 10.250.128.X
LAN IP 192.168.0.0/24
My atm VPN works #1 for those who don't
What I want to do is Nat my VPN for this
Example I want to access the computer 192.168.0.2 on the LAN of the company
I want to hit the PC (which is connected to the VPN) 192.168.200.2 and Cisco will convert 192.168.200.2 to 192.168.0.2 to be able to access my PC at work
Of course, I think about being able to do the other side also. (192.168.0.2 to 192.168.200.2 to be able to send the package back (not sure on this)
Can guys, help me, it's the ATM out of my knowledge and I
ASA Version 8.2 (1)
!
Terminal width 250
hostname hostname
turn on d0/xPtlKePBzdYTe of encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 10.0.128.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
10 speed
full duplex
!
interface Ethernet0/1
10 speed
full duplex
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa821 - k8.bin
passive FTP mode
grp_outside_in tcp service object-group
Description Ports require for internal transfer
EQ smtp port object
EQ port ssh object
access list inside-out extended ip allowed any one
access list inside-out extended permit icmp any one
permit no_nat to access extended list ip 192.168.0.0 255.255.0.0 10.250.128.0 255.255.255.0
list access tunnel extended split ip 192.168.0.0 allow 255.255.20.0 10.250.128.0 255.255.255.0
access-list extended 100 permit ip 10.250.128.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list extended 100 permit icmp 10.250.128.0 255.255.255.0 192.168.0.0 255.255.255.0
access list 101 scope ip allow a whole
access-list 101 extended allow icmp a whole
pager lines 34
Enable logging
timestamp of the record
debug logging in buffered memory
recording of debug trap
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool mobilepool 10.250.128.100 - 10.250.128.130 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access no_nat
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 10.0.128.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac floating
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dyn1 1 set transform-set floating
Crypto-map dynamic dyn1 1jeu reverse-road
mobilemap 1 card crypto ipsec-isakmp dynamic dyn1
mobilemap interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 192.168.0.0 255.255.255.0 inside
SSH 10.0.128.0 255.255.255.0 inside
SSH timeout 5
SSH version 2
Console timeout 0
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal vpn group policy
attributes of vpn group policy
VPN - 50 simultaneous connections
VPN-idle-timeout 2000
VPN-session-timeout 2000
internal mobile_policy group policy
attributes of the strategy of group mobile_policy
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value
admin N2TJh8TeuGc7EOVu encrypted privilege 15 password username
user1 gLGaPhl70GqS8DhN encrypted password username
password encrypted user user2 Y7.fXmPk3FvKUGOO name
type tunnel-group mobilegroup remote access
tunnel-group mobilegroup General-attributes
address mobilepool pool
Group Policy - by default-mobile_policy
mobilegroup group of tunnel ipsec-attributes
pre-shared-key *.
!
Global class-card class
match default-inspection-traffic
inspection of the class-map
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:012d58f20bdf997d1e7b6927431e0015
: end
Hi Mr. Gyslain,
So, if I understand, you want the following things
- Local NAT LAN 192.168.0.0/24 to 192.168.200.0/24 for VPN Client users to their local network does not overlap with your local network while they are connected
To my knowledge, you should be able to handle this with the following changes to your configurations
- Configure policy NAT
- Changes to the rules of Tunnel from Split
- Remove the existing NAT0 rule
Here are some example configurations I think that need to manage the situation. Of course make sure you have the old configuration at hand if you need to return to the old
Remove the NAT0 rule
- no nat (inside) 0-list of access no_nat
- No no_nat access ip 192.168.0.0 scope list allow 255.255.0.0 10.250.128.0 255.255.255.0
By removing the above configuration, we want to avoid LAN projection with its originating IP address to the user from the VPN Client.
Creating policy NAT
- access list permit VPN-CLIENT-POLICY-NAT ip 192.168.0.0 255.255.255.0 10.250.128.0 255.255.255.0
- public static 192.168.200.0 (inside, outside) - list of access VPN-CLIENT-POLICY-NAT netmask 255.255.255.0
With the above configuration, we mean the ASA NAT your local 192.168.200.0/24 LAN 192.168.0.0/24 WHEN connections are established at network 10.250.128.0/24 destination which is the pool of the VPN Client. This natutally works in two ways. Also note that if your host LAN IP address is, for example, 192.168.0.100, there a 192.168.200.100 NAT address.
Change the VPN Client Split tunnel
- standard of TUNNEL VPN-SPLIT-access list permits 192.168.200.0 255.255.255.0
- attributes of the strategy of group mobile_policy
Split-tunnel-network-list value TUNNEL VPN-SPLIT
The above configuration is intended to change your configurations of client VPN Split Tunnel ACL to a Standard ACL that indicates which networks to send to the VPN to your customer. In this case, it would be the new teeth of politics of 192.168.200.0/24 network. After configuring the ACL you naturally set it up under the VPN settings.
I don't know if you have split tunnel configured at all because the configuration does not appear the ACL name at least. I know that you can at least have the "tunnelspecified" configuration line without specifying the actual ACL but do not know if what follows is a copy/paste problem or typo that should work with complete tunnel also.
With the above configuration, to my knowledge, everything should work.
-Jouni
EDIT: Some typos
Edit2: Name group policy was wrong
Tags: Cisco Security
Similar Questions
-
Hello community,
I'm going nuts here. We try to configure a NAT policy through a site to site VPN tunnel, but can't seem to turn it on. Here is our configuration:
access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list extended sheep allowed host ip 10.23.1.5 192.168.12.0 255.255.255.0
inside_nat_static list extended access allowed host ip 192.168.1.5 192.168.12.0 255.255.255.0
inside_nat_static2 list extended access permit ip host 192.168.1.5 everything
NAT (inside) 0 access-list sheep
NAT (inside) 2 192.168.1.0 255.255.255.0
public static 10.23.1.5 (inside, outside) - inside_nat_static access list
public static 63.123.4.56 (inside, outside) - inside_nat_static2 access list
The VPN part I omitted because it is correct. When we initiate a ping the tunnel arrives. The problem we have is on our side with policy NAT I think. With a ping from the remote desktop on our ASA, we see all incoming traffic, but our server does not transfer out.
Appreciate any input...
-Tom
Tom,
Sorry for the delay, I forgot you, I've just been very busy
Here's what you'll need:
First remove this (intentionally want NAT traffic not to 'sheep')
access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list extended sheep allowed host ip 10.23.1.5 192.168.12.0 255.255.255.0
Then add this to translate your outgoing traffic
access-list 199 permit host ip 192.168.1.5 192.168.12.0 255.255.255.0
public static 10.23.1.5 (inside, outside) access-list 199
Translate your inbound traffic also:
public static 192.168.12.0 (exterior, Interior) net of 192.168.1.0 255.255.255.0
Describe your crypto since translated ACL localhost translated to the remote subnet.
cryptomap list of allowed access host ip 10.23.1.5 192.168.12.0 255.255.255.0
You can remove the other line of the ACL.
Your host should access the 192.168.12.x which is translated remote network.
Try it and let me know how it goes.
Raga
-
Split of static traffic between the VPN and NAT
Hi all
We have a VPN from Site to Site that secures all traffic to and from 10.160.8.0/24 to/from 10.0.0.0/8. It's for everything - including Internet traffic. However, there is one exception (of course)...
The part that I can't make it work is if traffic comes from the VPN (10.0.0.0/8) of 10.160.8.5 (on 80 or 443), then the return traffic must go back through the VPN. BUT, if traffic 80 or 443 comes from anywhere else (Internet via X.X.X.X which translates to 10.160.8.5), so there need to be translated réécrirait Internet via Gig2.
I have the following Setup (tried to have just the neccessarry lines)...
interface GigabitEthernet2
address IP Y.Y.Y.Y 255.255.255.0! the X.X.X.X and Y.Y.Y.Y are in the same subnet
address IP X.X.X.X 255.255.255.0 secondary
NAT outside IP
card crypto ipsec-map-S2S
interface GigabitEthernet4.2020
Description 2020
encapsulation dot1Q 2020
IP 10.160.8.1 255.255.255.0
IP nat inside
IP virtual-reassembly
IP nat inside source list interface NAT-output GigabitEthernet2 overload
IP nat inside source static tcp 10.160.8.5 80 80 X.X.X.X map route No. - NAT extensible
IP nat inside source static tcp 10.160.8.5 443 443 X.X.X.X map route No. - NAT extensible
NAT-outgoing extended IP access list
refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www
refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443
permit tcp host 10.160.8.5 all eq www
permit tcp host 10.160.8.5 any eq 443
No. - NAT extended IP access list
refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www
refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443
allow an ip
route No. - NAT allowed 10 map
corresponds to the IP no. - NAT
With the above configuration, we can get to the Internet 10.160.8.5, but cannot cross it over the VPN tunnel (from 10.200.0.0/16). If I remove the two commands «ip nat inside source static...» ', then the opposite that happens - I can get then to 10.160.8.5 it VPN tunnel but I now can't get to it from the Internet.
How can I get both? It seems that when I hit the first NAT instruction (overload Gig2) that 'decline' in the list of ACL-NAT-outgoing punts me out of this statement of NAT. It can process the following statement of NAT (one of the 'ip nat inside source static... ") but does not seem to"deny"it in the NON - NAT ACL me punt out of this statement of NAT. That's my theory anyway (maybe something is happening?)
If this work like that or I understand something correctly? It's on a router Cisco's Cloud Services (CSR 1000v).
Thank you!
Your netmask is bad for your 10.0.0.0/8. I worry not about the port/protocol or since that can screw you up. A better way to do it would be to deny all IP vpn traffic.
NAT-outgoing extended IP access list
deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255
...
No. - NAT extended IP access list
deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255
allow an ip
Doc:
Router to router IPSec with NAT and Cisco Secure VPN Client overload
Thank you
Brendan
-
How can I get the Client VPN or NAT - ted connection
I installed a router on a customer site to replace a PC that made the NAT on a cable modem connection.
On the router THAT NAT is done to get all the s PC on the LAN to access the Internet.
But... one of the users use a VPN client to get to his office. With the PC, there is no problem, but given that the router is in place it can not connect.
Because I specialized on switched networks my knowledge; edge of NAT and VPN clients.
Is there anyone who knows how to get this VPN client-session user to be NAT - ted?
Kind regards
Martijn Koopsen
If you have some onfigured of overload, then you tap the traffic. In all cases, you should at least be able to establish a connection, as IPSec uses UDP 500 for the negotiation of the tunnel. If you are not able to pass all traffic, it is another question. Once the tunnel is established, the traffic can be encrypted using the Protocol ESP who cannot be tapped under normal circumstances. If this is a cisco IPsec client, then you must discover which is the feature of termination. If it's a hub 3K, you could activate IPSec over UDP to the problem of circumvention the ESP
Hope that helps
Jean Marc
-
concentrator 3000 2 lan lan VPN with NAT
I need to configure a vpn lan-2lan between 2 3030 concentrators (separate companies) on the Internet. My company assigns a small subnet for hosts sitting on the client network. The customer wants to use their own IP subnet and assign IP addresses within their range. So, they do static NAT on their hub. Is this possible? Or have they NAT s pc before arriving to the hub? Any help much appreciated.
Hello
Concentrator VPN supports the NAT.
HTH
Kind regards
GE.
-
Hello. I'm creating a tunnel VPN IPSec LAN - to - LAN of my ASA5510 to another network but met an obstacle bit. My counterpart on the other side has informed me that he already has a VPN tunnel to another company that has the same IP range as my network(10.100.16.0 /24) and can not create the tunnel.
I was wondering is it possible to use NAT on the VPN tunnel so that traffic that goes from my network over the VPN tunnel gets translated and my counterpart on the other side sees this reflects the range of IP addresses?
Thanks in advance for any help.
Hello
Yes, you can use the same address you already use for internet access.
Just update your list of access crypto to reflect the new address and to ensure that the third party did the same.
Jon
-
RA - VPN through NAT - T troubleshooting
Hello
Currently, my vpn works great from the outside to the router. The problem, I'm not sure why the traffic inside is not finding its way to the outside (VPNclient). I tried to add interesting traffic acl on my DynamicMap, the vpn client lock did not close, but there is a created isakmp QM_IDLE session and an IPSEC tunnel. I also tried to add a static route on all my local routers (for test only) 10.0.12.0 to my router vpn 10.0.0.188 network routing, only my network device can communicate with my VPN client host when I do this, but the hosts that are part of the network cannot communicate.
I have attached config and debug outputs.
Any suggestions?
TIA,
-Fred
Hello
Can u please no nat acl, lan internal as source and as destination pool vpn.
Make sure that your gw router has a route to the pool of vpn.
r/g
-
IOS IPSEC VPN with NAT - translation problem
I'm having a problem with IOS IPSEC VPN configuration.
/*
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
ISAKMP crypto keys TEST123 address 205.xx.1.4
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN
!
!
Map 10 CRYPTO map ipsec-isakmp crypto
the value of 205.xx.1.4 peer
transformation-CHAIN game
match address 115
!
interface FastEthernet0/0
Description FOR the EDGE ROUTER
IP address 208.xx.xx.33 255.255.255.252
NAT outside IP
card crypto CRYPTO-map
!
interface FastEthernet0/1
INTERNAL NETWORK description
IP 10.15.2.4 255.255.255.0
IP nat inside
access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3
*/
(This configuration is incomplete / NAT configuration needed)
Here is the solution that I'm looking for:
When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.
For more information, see "SCHEMA ATTACHED".
Any help is greatly appreciated!
Thank you
Clint Simmons
Network engineer
You can try the following NAT + route map approach (method 2 in this link)
http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
Thank you
Raja K
-
ASA5505 SSL AnyConnect VPN and NAT Reverse Path failure
I worked on it for a while and just have not found a solution yet.
I have a Cisco ASA5505 Setup at home and I try to use the AnyConnect VPN client to it. I followed the example of ASA 8.x split Tunnel but still miss me something.
My home network is 10.170.x.x and I install the VPN address to 10.170.13.x pool I have a Windows workstation running at 10.170.0.6, printers 10.170.0.20 and 21 and inside the router itself is 10.170.0.1
I can connect from the outside and am assigned an IP address of 10.170.13.10, but when I try to access network resources via ICMP or open a web page, the newspaper of the ASDM shows a bunch of this:
5. January 27, 2010 | 10: 33:37 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:36 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33: 35 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:34 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:30 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:29 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:23 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:17 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10: 33: 13 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:07 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NATI tried several things with NAT, but were not able to go beyond that. Does anyone mind looking at my config running and help me with this? Thanks a bunch!
-Tim
Couple to check points.
name 10.17.13.0 UFP-VPN-pool looks like it should be the name 10.170.13.0 UFP-VPN-pool
inside_nat0_outbound to access extended list ip allow list zero 255.255.0.0 255.255.255.0 UFP-VPN-pool
Looks like that one
inside_nat0_outbound to list extended ip access list zero UFP-VPN-pool 255.255.255.0 255.255.255.0 allow
-
Hi all
I'm quite inexperienced in this subject and would appreciate advice on this
I need to create a VPN tunnel between our site and a remote site.
On our site, we are a network 192.168.0.X our external ip address is 12.53.150.100
We need to connect to the site is 69.144.38.48
We need to move from host to host meaning 192.168.0.97--> 69.144.38.50 and they want our ip to translate to 10.9.250.1
Thanks in advance
Jason
Are you familiar with the establishment of a regular L2L tunnel? In addition to this, you just create a nat policy:
access-list extended 100 permit ip host 192.168.0.97 69.144.38.50
public static 10.9.250.1 (inside, outside) - access list 100
When you define your ACL crypto, you specify 10.9.250.1 as the source instead of 192.168.0.97.
Let me know if you need help most.
-
LAN to LAN VPN with NAT - solved!
Hello world
I have problems with a VPN L2L is implemented and logged, however when traffic comes from the other side of the tunnel it is not the host to internal network using a static NAT. Inside host 172.18.30.225 is current NATted to yyy.30.49.14 which is an IP address on the DMZ (yyy.30.49.0 255.255.255.240) Interface.
Here is the configuration
object-group network NET Tunnel
network-host xxx.220.129.134 objectAccess tunnel list - extended ACL permit ip host yyy.30.49.14 object-group NET Tunnel
correspondence address card crypto MAP_Tunnel 20 Tunnel-ACL
the Tunnel-iServer-NAT object network
Home yyy.30.49.14
network of the Tunnel and drop-in iServer object
Home 172.18.30.225network of the Tunnel and drop-in iServer object
NAT (internal, DMZ) static Tunnel-iServer-NATI hope that it is enough for someone to help me.
Thank you
M
Version 8.3.1 ASA
Post edited by: network operations
The internal host does live on the network DMZ or internal? If she lives on the internal network, you can not NAT to the DMZ to interface and make it out of the external Interface, assuming that the external interface is the interface of VPN endpoint. If you terminate the VPN on the DMZ interface and the internal host lives on the internal network, then that's fine.
-
Hello
I configured a PIX (6.3) for (4.0.2) VPN clients. When I try to connect using a dial-up connection, I am able to connect, but using a NAT (through a router) I stay connected but cannot access all the servers. It shows the decryption of zero packets.
Is their something I need to do on PIX? I'm using IPSEC.
Help, please.
NAT, or more precisely of PAT, will usually break an IPSec connection. Fortunately, there is a new standard called NAT - T that has each end detect that they are going through a NAT/PAT device, and if so, they'll wrap everything in UDP packets, which can then be NAT correctly.
The customer has of this feature is automatically enabled. On the PIX to put on with the command:
> isakmp nat-traversal
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1027312 for more details.
-
Remote access ASA, VPN and NAT
Hello
I try to get access to remote VPN work using a Cisco VPN client and ASA with no split tunneling. The VPN works a little, I can access devices inside when I connect, but I can't access the Internet. I don't see any errors in the log ASA except these:
1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/137 dst outside:192.168.47.255/137
1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/54918 dst outsidexx.xxx.xxx.xxx/53There is only one address public IP that is assigned to the external interface of DHCP. The Interior is 192.168.1.0/24 network which is PAT'ed to the external interface and the VPN network is 192.168.47.X.
I think my problem is that the net.47 is not NAT'ed out properly and I don't know how to put in place exactly. I can't understand how this is supposed to work since the net VPN technically provenance from the outside already.
Here are all the relevant config:
list of vpn access extended permits all ip 192.168.47.0 255.255.255.0
Within 1500 MTU
Outside 1500 MTU
IP local pool vpnpool 192.168.47.200 - 192.168.47.220 mask 255.255.255.0
IP verify reverse path to the outside interface
IP audit info alarm drop action
IP audit attack alarm drop action
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
Global interface (2 inside)
Global 1 interface (outside)
NAT (inside) 0-list of access vpn
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 2 192.168.47.0 255.255.255.0 outside
static (inside, outside) tcp 3074 XBOX360 3074 netmask 255.255.255.255 interface
static (inside, outside) udp 3074 XBOX360 3074 netmask 255.255.255.255 interface
public static (inside, outside) udp interface 88 88 XBOX360 netmask 255.255.255.255
public static tcp (indoor, outdoor) https someids netmask 255.255.255.255 https interfaceI can post more of the configuration if necessary.
Change ' nat (outside) 2 192.168.47.0 255.255.255.0 apart ' "NAT (2-list of vpn access outdoors outside)" gives these:
1 Jul 06:18:35 % gatekeeper ASA-3-305005: no group of translation not found for udp src outside:192.168.47.200/56003 dst outside:66.174.95.44/53
So, how I do right NAT VPN traffic so it can access the Internet?
A few things that needs to be changed:
(1) NAT exemption what ACL must be modified to be more specific while the traffic between the internal subnets and subnet pool vpn is not coordinated. NAT exemption takes precedence over all other statements of NAT, so your internet traffic from the vpn does not work.
This ACL:
list of vpn access extended permits all ip 192.168.47.0 255.255.255.0
Should be changed to:
extensive list of access vpn ip 192.168.47.0 255.255.255.0 allow
(2) you don't need statement "overall (inside) 2. Here's what to be configured:
no nat (outside) 2 192.168.47.0 255.255.255.0 outside
no global interface (2 inside)
NAT (outside) 1 192.168.47.0 255.255.255.0
(3) and finally, you must activate the following allow traffic back on the external interface:
permit same-security-traffic intra-interface
And don't forget to clear xlate after the changes described above and connect to your VPN.
Hope that helps.
-
Design site to Site VPN w/NAT traversal issue
Hi, I have a number of site to site VPN that end on a PIX. I intend to migrate these VPN to a router that sits on a demilitarized zone connected to the PIX. Before doing that I'm going to set up a private network new virtual to end on the router but I also need than VPNS that end on the PIX to be not affected.
If I configure NAT traversal on the PIX, affected my other VPN?
Thanks in advance
DOM
Hi Dom,
Why do you want to configure NAT-Traversal on PIX, if you wish to terminate your VPN router (which is on the DMZ).
Do you do any NAT on PIX thru the router?
If you want to configure NAT-Traversal, it must be configured on the end (on the router in your case) devices.
Example:
When a user with Cisco client or Cisco router behind NAT wants to connect to another device (such as PIX, ASA, or router) NAT - T must be configured on the machine (which will be the PIX or ASA)
Hope that helps.
* Please indicate the post
-
Cisco ASA (site A) with 2 L2L-VLNs (call the Site B and Site C)
I need "inbound nat' Site-C network.
Let me explain better:
-Site-B (10.14.63.0/24) accepts only traffic between the local network of the site-A (10.1.6.0/24), and I can't change the VPN.
-Now, I've logged on the Site-A site-C, and this must also communicate with site-B
-So I thought I have nat, the network of Site-C (10.168.3.0/24) in order to present with an IP of A Site.
Possible?
And how to configure the ASA at the Site-A?
Thank you
Claudio
Hello
What is the level of software on the Site to ASA?
-Jouni
Maybe you are looking for
-
Workstation HP Z620: Z620 controller SAS Windows10
I just updated my OS to Win7 Pro Win10 Pro. I checked the equipment in System Info and I saw that the SAS has nomore controller a good pilot installed to work. In the support page, I have not found a new version of the SAS for Win10 drivers... How ca
-
Cannot read the new MSN Backgammon.
I can't play the new version of Backgammon on the MSN site. I don't careHow to set the resolution of my screen, I do not see the bottom of the Board! Cannot play any of the new multiplayer games, either. Have NO problem with other sites, just MSN! An
-
Envy4590 HP: HP Envy do not wake up
My printer do not wake mode 'sleep' and turns on when I want to print from my phone. and that's why my phone does not find the printer. The auto power off feature is set to OFF, so I know that's not what is the cause. Help!
-
RAID 0 request fails on Intel (r) Matrix Storage Console - which drive is port 0?
Hello. I have a W700 runnning two Seagate Momentus 7200.4 500GB 2.5 "SATA internal hard drives in a RAID0. Lately I get the application from the storage Console messages that "a request for data on the disk have failed. Yet it seems ti be up & runnin
-
TMS Provisioning Extension required for Jabber Video
All, I'd check that commissioning Extension is not required for TMS (14.x) allow video exterenal Jabber users to participate in a video conference on a microcontroller. These will be not registered in VCS video external Jabber users. Thank you John