VPN overlapping NAT

Here is my config complete.

Here are a few notes

IP, obtained from the VPN 10.250.128.X

LAN IP 192.168.0.0/24

My atm VPN works #1 for those who don't

What I want to do is Nat my VPN for this

Example I want to access the computer 192.168.0.2 on the LAN of the company

I want to hit the PC (which is connected to the VPN) 192.168.200.2 and Cisco will convert 192.168.200.2 to 192.168.0.2 to be able to access my PC at work

Of course, I think about being able to do the other side also. (192.168.0.2 to 192.168.200.2 to be able to send the package back (not sure on this)

Can guys, help me, it's the ATM out of my knowledge and I

ASA Version 8.2 (1)

Terminal width 250

hostname hostname

turn on d0/xPtlKePBzdYTe of encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

interface Vlan1

nameif inside

security-level 100

IP 192.168.0.254 255.255.255.0

interface Vlan2

nameif outside

security-level 0

IP 10.0.128.1 255.255.255.0

interface Ethernet0/0

switchport access vlan 2

10 speed

full duplex

interface Ethernet0/1

10 speed

full duplex

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

boot system Disk0: / asa821 - k8.bin

passive FTP mode

grp_outside_in tcp service object-group

Description Ports require for internal transfer

EQ smtp port object

EQ port ssh object

access list inside-out extended ip allowed any one

access list inside-out extended permit icmp any one

permit no_nat to access extended list ip 192.168.0.0 255.255.0.0 10.250.128.0 255.255.255.0

list access tunnel extended split ip 192.168.0.0 allow 255.255.20.0 10.250.128.0 255.255.255.0

access-list extended 100 permit ip 10.250.128.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list extended 100 permit icmp 10.250.128.0 255.255.255.0 192.168.0.0 255.255.255.0

access list 101 scope ip allow a whole

access-list 101 extended allow icmp a whole

pager lines 34

Enable logging

timestamp of the record

debug logging in buffered memory

recording of debug trap

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

IP local pool mobilepool 10.250.128.100 - 10.250.128.130 mask 255.255.255.0

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 621.bin

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access no_nat

NAT (inside) 1 0.0.0.0 0.0.0.0

NAT (outside) 1 0.0.0.0 0.0.0.0

Route outside 0.0.0.0 0.0.0.0 10.0.128.2 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication

Enable http server

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-3des esp-md5-hmac floating

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto-map dynamic dyn1 1 set transform-set floating

Crypto-map dynamic dyn1 1jeu reverse-road

mobilemap 1 card crypto ipsec-isakmp dynamic dyn1

mobilemap interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 1

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH 192.168.0.0 255.255.255.0 inside

SSH 10.0.128.0 255.255.255.0 inside

SSH timeout 5

SSH version 2

Console timeout 0

dhcpd outside auto_config

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal vpn group policy

attributes of vpn group policy

VPN - 50 simultaneous connections

VPN-idle-timeout 2000

VPN-session-timeout 2000

internal mobile_policy group policy

attributes of the strategy of group mobile_policy

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value

admin N2TJh8TeuGc7EOVu encrypted privilege 15 password username

user1 gLGaPhl70GqS8DhN encrypted password username

password encrypted user user2 Y7.fXmPk3FvKUGOO name

type tunnel-group mobilegroup remote access

tunnel-group mobilegroup General-attributes

address mobilepool pool

Group Policy - by default-mobile_policy

mobilegroup group of tunnel ipsec-attributes

pre-shared-key *.

Global class-card class

match default-inspection-traffic

inspection of the class-map

class-map inspection_default

match default-inspection-traffic

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

global service-policy global_policy

context of prompt hostname

Cryptochecksum:012d58f20bdf997d1e7b6927431e0015

: end

Hi Mr. Gyslain,

So, if I understand, you want the following things

Local NAT LAN 192.168.0.0/24 to 192.168.200.0/24 for VPN Client users to their local network does not overlap with your local network while they are connected

To my knowledge, you should be able to handle this with the following changes to your configurations

Configure policy NAT
Changes to the rules of Tunnel from Split
Remove the existing NAT0 rule

Here are some example configurations I think that need to manage the situation. Of course make sure you have the old configuration at hand if you need to return to the old

Remove the NAT0 rule

no nat (inside) 0-list of access no_nat
No no_nat access ip 192.168.0.0 scope list allow 255.255.0.0 10.250.128.0 255.255.255.0

By removing the above configuration, we want to avoid LAN projection with its originating IP address to the user from the VPN Client.

Creating policy NAT

access list permit VPN-CLIENT-POLICY-NAT ip 192.168.0.0 255.255.255.0 10.250.128.0 255.255.255.0
public static 192.168.200.0 (inside, outside) - list of access VPN-CLIENT-POLICY-NAT netmask 255.255.255.0

With the above configuration, we mean the ASA NAT your local 192.168.200.0/24 LAN 192.168.0.0/24 WHEN connections are established at network 10.250.128.0/24 destination which is the pool of the VPN Client. This natutally works in two ways. Also note that if your host LAN IP address is, for example, 192.168.0.100, there a 192.168.200.100 NAT address.

Change the VPN Client Split tunnel

standard of TUNNEL VPN-SPLIT-access list permits 192.168.200.0 255.255.255.0
attributes of the strategy of group mobile_policy
- Split-tunnel-network-list value TUNNEL VPN-SPLIT

The above configuration is intended to change your configurations of client VPN Split Tunnel ACL to a Standard ACL that indicates which networks to send to the VPN to your customer. In this case, it would be the new teeth of politics of 192.168.200.0/24 network. After configuring the ACL you naturally set it up under the VPN settings.

I don't know if you have split tunnel configured at all because the configuration does not appear the ACL name at least. I know that you can at least have the "tunnelspecified" configuration line without specifying the actual ACL but do not know if what follows is a copy/paste problem or typo that should work with complete tunnel also.

With the above configuration, to my knowledge, everything should work.

-Jouni

EDIT: Some typos

Edit2: Name group policy was wrong

Tags: Cisco Security

Similar Questions

Policy overlapping NAT VPN

Hello community,

I'm going nuts here. We try to configure a NAT policy through a site to site VPN tunnel, but can't seem to turn it on. Here is our configuration:

access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list extended sheep allowed host ip 10.23.1.5 192.168.12.0 255.255.255.0

inside_nat_static list extended access allowed host ip 192.168.1.5 192.168.12.0 255.255.255.0

inside_nat_static2 list extended access permit ip host 192.168.1.5 everything

NAT (inside) 0 access-list sheep

NAT (inside) 2 192.168.1.0 255.255.255.0

public static 10.23.1.5 (inside, outside) - inside_nat_static access list

public static 63.123.4.56 (inside, outside) - inside_nat_static2 access list

The VPN part I omitted because it is correct. When we initiate a ping the tunnel arrives. The problem we have is on our side with policy NAT I think. With a ping from the remote desktop on our ASA, we see all incoming traffic, but our server does not transfer out.

Appreciate any input...

-Tom

Tom,

Sorry for the delay, I forgot you, I've just been very busy

Here's what you'll need:

First remove this (intentionally want NAT traffic not to 'sheep')

access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list extended sheep allowed host ip 10.23.1.5 192.168.12.0 255.255.255.0

Then add this to translate your outgoing traffic

access-list 199 permit host ip 192.168.1.5 192.168.12.0 255.255.255.0

public static 10.23.1.5 (inside, outside) access-list 199

Translate your inbound traffic also:

public static 192.168.12.0 (exterior, Interior) net of 192.168.1.0 255.255.255.0

Describe your crypto since translated ACL localhost translated to the remote subnet.

cryptomap list of allowed access host ip 10.23.1.5 192.168.12.0 255.255.255.0

You can remove the other line of the ACL.

Your host should access the 192.168.12.x which is translated remote network.

Try it and let me know how it goes.

Raga

Split of static traffic between the VPN and NAT

Hi all

We have a VPN from Site to Site that secures all traffic to and from 10.160.8.0/24 to/from 10.0.0.0/8. It's for everything - including Internet traffic. However, there is one exception (of course)...

The part that I can't make it work is if traffic comes from the VPN (10.0.0.0/8) of 10.160.8.5 (on 80 or 443), then the return traffic must go back through the VPN. BUT, if traffic 80 or 443 comes from anywhere else (Internet via X.X.X.X which translates to 10.160.8.5), so there need to be translated réécrirait Internet via Gig2.

I have the following Setup (tried to have just the neccessarry lines)...

interface GigabitEthernet2

address IP Y.Y.Y.Y 255.255.255.0! the X.X.X.X and Y.Y.Y.Y are in the same subnet

address IP X.X.X.X 255.255.255.0 secondary

NAT outside IP

card crypto ipsec-map-S2S

interface GigabitEthernet4.2020

Description 2020

encapsulation dot1Q 2020

IP 10.160.8.1 255.255.255.0

IP nat inside

IP virtual-reassembly

IP nat inside source list interface NAT-output GigabitEthernet2 overload

IP nat inside source static tcp 10.160.8.5 80 80 X.X.X.X map route No. - NAT extensible

IP nat inside source static tcp 10.160.8.5 443 443 X.X.X.X map route No. - NAT extensible

NAT-outgoing extended IP access list

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

permit tcp host 10.160.8.5 all eq www

permit tcp host 10.160.8.5 any eq 443

No. - NAT extended IP access list

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

allow an ip

route No. - NAT allowed 10 map

corresponds to the IP no. - NAT

With the above configuration, we can get to the Internet 10.160.8.5, but cannot cross it over the VPN tunnel (from 10.200.0.0/16). If I remove the two commands «ip nat inside source static...» ', then the opposite that happens - I can get then to 10.160.8.5 it VPN tunnel but I now can't get to it from the Internet.

How can I get both? It seems that when I hit the first NAT instruction (overload Gig2) that 'decline' in the list of ACL-NAT-outgoing punts me out of this statement of NAT. It can process the following statement of NAT (one of the 'ip nat inside source static... ") but does not seem to"deny"it in the NON - NAT ACL me punt out of this statement of NAT. That's my theory anyway (maybe something is happening?)

If this work like that or I understand something correctly? It's on a router Cisco's Cloud Services (CSR 1000v).

Thank you!

Your netmask is bad for your 10.0.0.0/8. I worry not about the port/protocol or since that can screw you up. A better way to do it would be to deny all IP vpn traffic.

NAT-outgoing extended IP access list

deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

...

No. - NAT extended IP access list

deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

allow an ip

Doc:

Router to router IPSec with NAT and Cisco Secure VPN Client overload

Thank you

Brendan

How can I get the Client VPN or NAT - ted connection

I installed a router on a customer site to replace a PC that made the NAT on a cable modem connection.

On the router THAT NAT is done to get all the s PC on the LAN to access the Internet.

But... one of the users use a VPN client to get to his office. With the PC, there is no problem, but given that the router is in place it can not connect.

Because I specialized on switched networks my knowledge; edge of NAT and VPN clients.

Is there anyone who knows how to get this VPN client-session user to be NAT - ted?

Kind regards

Martijn Koopsen

If you have some onfigured of overload, then you tap the traffic. In all cases, you should at least be able to establish a connection, as IPSec uses UDP 500 for the negotiation of the tunnel. If you are not able to pass all traffic, it is another question. Once the tunnel is established, the traffic can be encrypted using the Protocol ESP who cannot be tapped under normal circumstances. If this is a cisco IPsec client, then you must discover which is the feature of termination. If it's a hub 3K, you could activate IPSec over UDP to the problem of circumvention the ESP

Hope that helps

Jean Marc

concentrator 3000 2 lan lan VPN with NAT

I need to configure a vpn lan-2lan between 2 3030 concentrators (separate companies) on the Internet. My company assigns a small subnet for hosts sitting on the client network. The customer wants to use their own IP subnet and assign IP addresses within their range. So, they do static NAT on their hub. Is this possible? Or have they NAT s pc before arriving to the hub? Any help much appreciated.

Hello

Concentrator VPN supports the NAT.

http://Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml

HTH

Kind regards

GE.

Tunnel VPN and NAT

Hello. I'm creating a tunnel VPN IPSec LAN - to - LAN of my ASA5510 to another network but met an obstacle bit. My counterpart on the other side has informed me that he already has a VPN tunnel to another company that has the same IP range as my network(10.100.16.0 /24) and can not create the tunnel.

I was wondering is it possible to use NAT on the VPN tunnel so that traffic that goes from my network over the VPN tunnel gets translated and my counterpart on the other side sees this reflects the range of IP addresses?

Thanks in advance for any help.

Hello

Yes, you can use the same address you already use for internet access.

Just update your list of access crypto to reflect the new address and to ensure that the third party did the same.

Jon

RA - VPN through NAT - T troubleshooting

Hello

Currently, my vpn works great from the outside to the router. The problem, I'm not sure why the traffic inside is not finding its way to the outside (VPNclient). I tried to add interesting traffic acl on my DynamicMap, the vpn client lock did not close, but there is a created isakmp QM_IDLE session and an IPSEC tunnel. I also tried to add a static route on all my local routers (for test only) 10.0.12.0 to my router vpn 10.0.0.188 network routing, only my network device can communicate with my VPN client host when I do this, but the hosts that are part of the network cannot communicate.

I have attached config and debug outputs.

Any suggestions?

TIA,

-Fred

Hello

Can u please no nat acl, lan internal as source and as destination pool vpn.

Make sure that your gw router has a route to the pool of vpn.

r/g

IOS IPSEC VPN with NAT - translation problem

I'm having a problem with IOS IPSEC VPN configuration.

/*

crypto ISAKMP policy 10

BA 3des

preshared authentication

Group 2

ISAKMP crypto keys TEST123 address 205.xx.1.4

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN

!

!

Map 10 CRYPTO map ipsec-isakmp crypto

the value of 205.xx.1.4 peer

transformation-CHAIN game

match address 115

!

interface FastEthernet0/0

Description FOR the EDGE ROUTER

IP address 208.xx.xx.33 255.255.255.252

NAT outside IP

card crypto CRYPTO-map

!

interface FastEthernet0/1

INTERNAL NETWORK description

IP 10.15.2.4 255.255.255.0

IP nat inside

access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3

*/

(This configuration is incomplete / NAT configuration needed)

Here is the solution that I'm looking for:

When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.

For more information, see "SCHEMA ATTACHED".

Any help is greatly appreciated!

Thank you

Clint Simmons

Network engineer

You can try the following NAT + route map approach (method 2 in this link)

http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

Thank you

Raja K

ASA5505 SSL AnyConnect VPN and NAT Reverse Path failure

I worked on it for a while and just have not found a solution yet.

I have a Cisco ASA5505 Setup at home and I try to use the AnyConnect VPN client to it. I followed the example of ASA 8.x split Tunnel but still miss me something.

My home network is 10.170.x.x and I install the VPN address to 10.170.13.x pool I have a Windows workstation running at 10.170.0.6, printers 10.170.0.20 and 21 and inside the router itself is 10.170.0.1

I can connect from the outside and am assigned an IP address of 10.170.13.10, but when I try to access network resources via ICMP or open a web page, the newspaper of the ASDM shows a bunch of this:

5. January 27, 2010 | 10: 33:37 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:36 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33: 35 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:34 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:30 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:29 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:23 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:17 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10: 33: 13 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:07 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT

I tried several things with NAT, but were not able to go beyond that. Does anyone mind looking at my config running and help me with this? Thanks a bunch!

-Tim

Couple to check points.

name 10.17.13.0 UFP-VPN-pool looks like it should be the name 10.170.13.0 UFP-VPN-pool

inside_nat0_outbound to access extended list ip allow list zero 255.255.0.0 255.255.255.0 UFP-VPN-pool

Looks like that one

inside_nat0_outbound to list extended ip access list zero UFP-VPN-pool 255.255.255.0 255.255.255.0 allow

L2l VPN with nat

Hi all

I'm quite inexperienced in this subject and would appreciate advice on this

I need to create a VPN tunnel between our site and a remote site.

On our site, we are a network 192.168.0.X our external ip address is 12.53.150.100

We need to connect to the site is 69.144.38.48

We need to move from host to host meaning 192.168.0.97--> 69.144.38.50 and they want our ip to translate to 10.9.250.1

Thanks in advance

Jason

Are you familiar with the establishment of a regular L2L tunnel? In addition to this, you just create a nat policy:

access-list extended 100 permit ip host 192.168.0.97 69.144.38.50

public static 10.9.250.1 (inside, outside) - access list 100

When you define your ACL crypto, you specify 10.9.250.1 as the source instead of 192.168.0.97.

Let me know if you need help most.

LAN to LAN VPN with NAT - solved!

Hello world

I have problems with a VPN L2L is implemented and logged, however when traffic comes from the other side of the tunnel it is not the host to internal network using a static NAT. Inside host 172.18.30.225 is current NATted to yyy.30.49.14 which is an IP address on the DMZ (yyy.30.49.0 255.255.255.240) Interface.

Here is the configuration

object-group network NET Tunnel
network-host xxx.220.129.134 object

Access tunnel list - extended ACL permit ip host yyy.30.49.14 object-group NET Tunnel

correspondence address card crypto MAP_Tunnel 20 Tunnel-ACL

the Tunnel-iServer-NAT object network
Home yyy.30.49.14
network of the Tunnel and drop-in iServer object
Home 172.18.30.225

network of the Tunnel and drop-in iServer object
NAT (internal, DMZ) static Tunnel-iServer-NAT

I hope that it is enough for someone to help me.

Thank you

M

Version 8.3.1 ASA

Post edited by: network operations

The internal host does live on the network DMZ or internal? If she lives on the internal network, you can not NAT to the DMZ to interface and make it out of the external Interface, assuming that the external interface is the interface of VPN endpoint. If you terminate the VPN on the DMZ interface and the internal host lives on the internal network, then that's fine.

VPN through NAT

Hello

I configured a PIX (6.3) for (4.0.2) VPN clients. When I try to connect using a dial-up connection, I am able to connect, but using a NAT (through a router) I stay connected but cannot access all the servers. It shows the decryption of zero packets.

Is their something I need to do on PIX? I'm using IPSEC.

Help, please.

NAT, or more precisely of PAT, will usually break an IPSec connection. Fortunately, there is a new standard called NAT - T that has each end detect that they are going through a NAT/PAT device, and if so, they'll wrap everything in UDP packets, which can then be NAT correctly.

The customer has of this feature is automatically enabled. On the PIX to put on with the command:

> isakmp nat-traversal

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1027312 for more details.

Remote access ASA, VPN and NAT

Hello

I try to get access to remote VPN work using a Cisco VPN client and ASA with no split tunneling. The VPN works a little, I can access devices inside when I connect, but I can't access the Internet. I don't see any errors in the log ASA except these:

1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/137 dst outside:192.168.47.255/137
1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/54918 dst outsidexx.xxx.xxx.xxx/53

There is only one address public IP that is assigned to the external interface of DHCP. The Interior is 192.168.1.0/24 network which is PAT'ed to the external interface and the VPN network is 192.168.47.X.

I think my problem is that the net.47 is not NAT'ed out properly and I don't know how to put in place exactly. I can't understand how this is supposed to work since the net VPN technically provenance from the outside already.

Here are all the relevant config:

list of vpn access extended permits all ip 192.168.47.0 255.255.255.0
Within 1500 MTU
Outside 1500 MTU
IP local pool vpnpool 192.168.47.200 - 192.168.47.220 mask 255.255.255.0
IP verify reverse path to the outside interface
IP audit info alarm drop action
IP audit attack alarm drop action
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
Global interface (2 inside)
Global 1 interface (outside)
NAT (inside) 0-list of access vpn
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 2 192.168.47.0 255.255.255.0 outside
static (inside, outside) tcp 3074 XBOX360 3074 netmask 255.255.255.255 interface
static (inside, outside) udp 3074 XBOX360 3074 netmask 255.255.255.255 interface
public static (inside, outside) udp interface 88 88 XBOX360 netmask 255.255.255.255
public static tcp (indoor, outdoor) https someids netmask 255.255.255.255 https interface

I can post more of the configuration if necessary.

Change ' nat (outside) 2 192.168.47.0 255.255.255.0 apart ' "NAT (2-list of vpn access outdoors outside)" gives these:

1 Jul 06:18:35 % gatekeeper ASA-3-305005: no group of translation not found for udp src outside:192.168.47.200/56003 dst outside:66.174.95.44/53

So, how I do right NAT VPN traffic so it can access the Internet?

A few things that needs to be changed:

(1) NAT exemption what ACL must be modified to be more specific while the traffic between the internal subnets and subnet pool vpn is not coordinated. NAT exemption takes precedence over all other statements of NAT, so your internet traffic from the vpn does not work.

This ACL:

list of vpn access extended permits all ip 192.168.47.0 255.255.255.0

Should be changed to:

extensive list of access vpn ip 192.168.47.0 255.255.255.0 allow

(2) you don't need statement "overall (inside) 2. Here's what to be configured:

no nat (outside) 2 192.168.47.0 255.255.255.0 outside

no global interface (2 inside)

NAT (outside) 1 192.168.47.0 255.255.255.0

(3) and finally, you must activate the following allow traffic back on the external interface:

permit same-security-traffic intra-interface

And don't forget to clear xlate after the changes described above and connect to your VPN.

Hope that helps.

Design site to Site VPN w/NAT traversal issue

Hi, I have a number of site to site VPN that end on a PIX. I intend to migrate these VPN to a router that sits on a demilitarized zone connected to the PIX. Before doing that I'm going to set up a private network new virtual to end on the router but I also need than VPNS that end on the PIX to be not affected.

If I configure NAT traversal on the PIX, affected my other VPN?

Thanks in advance

DOM

Hi Dom,

Why do you want to configure NAT-Traversal on PIX, if you wish to terminate your VPN router (which is on the DMZ).

Do you do any NAT on PIX thru the router?

If you want to configure NAT-Traversal, it must be configured on the end (on the router in your case) devices.

Example:

When a user with Cisco client or Cisco router behind NAT wants to connect to another device (such as PIX, ASA, or router) NAT - T must be configured on the machine (which will be the PIX or ASA)

Hope that helps.

* Please indicate the post

L2l - VPN with NAT incoming

Cisco ASA (site A) with 2 L2L-VLNs (call the Site B and Site C)

I need "inbound nat' Site-C network.

Let me explain better:

-Site-B (10.14.63.0/24) accepts only traffic between the local network of the site-A (10.1.6.0/24), and I can't change the VPN.

-Now, I've logged on the Site-A site-C, and this must also communicate with site-B

-So I thought I have nat, the network of Site-C (10.168.3.0/24) in order to present with an IP of A Site.

Possible?

And how to configure the ASA at the Site-A?

Thank you

Claudio

Hello

What is the level of software on the Site to ASA?

-Jouni

VPN overlapping NAT

Similar Questions

Maybe you are looking for