VPN site to Site with NAT (PIX 7.2)

Similar Questions

• Cisco Asa vpn site-to-site with nat

  Hi all

  I need help
  I want to make a site from the site with nat vpn
  Site A = 10.0.0.0/24
  Site B = 10.1.252.0/24

  I want when site A to site B, either by ip 172.26.0.0/24

  Here is my configuration

  inside_nat_outbound to access ip 10.0.0.0 scope list allow 255.255.255.0 10.1.252.0 255.255.255.0

  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group ipsec-attributes x.x.x.x
  pre-shared-key!

  ISAKMP retry threshold 10 keepalive 2

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  card crypto outside_map 2 match address inside_nat_outbound

  card crypto outside_map 2 pfs set group5
  card crypto outside_map 2 peers set x.x.x.x

  card crypto outside_map 2 game of transformation-ESP-AES-256-SHA

  NAT (inside) 10 inside_nat_outbound

  Global 172.26.0.1 - 172.26.0.254 10 (outside)

  but do not work.

  Can you help me?

  Concerning

  Frédéric

  You must ensure that there is no NAT 0 ACL statement because it will take precedence over the static NAT.

  You don't need:

  Global 172.26.0.1 - 172.26.0.254 10 (outside)

  NAT (inside) 10 access-list nattoyr

  Because it will be replaced by the static NAT.

  In a Word is enough:

  nattoyr to access ip 10.0.0.0 scope list allow 255.255.255.0 10.1.252.0 255.255.255.0

  access extensive list ip 172.26.0.0 vpntoyr allow 255.255.255.0 10.1.252.0 255.255.255.0

  public static 172.26.0.0 (inside, outside) - nattoyr access list

  card crypto outside_map 2 match address vpntoyr

  card crypto outside_map 2 pfs set group5

  card crypto outside_map 2 defined peer "public ip".

  card crypto outside_map 2 game of transformation-ESP-AES-256-SHA

  outside_map interface card crypto outside

  tunnel-group "public ip" type ipsec-l2l

  tunnel-group "public ip" ipsec-attributes

  pre-shared key *.

  -Make sure that it not there no NAT ACL 0 including the above statements and check if NAT happening (sh xlate) and the

  traffic is being encryption (sh cry ips its)

  Federico.

• Cisco ASA VPN Site to Site WITH NAT inside

  Hello!

  I have 2 ASA 5505 related to IPSEC Tunnel VPN Site to Site.

  A 192.168.1.0/24 'remotely' inside the network and a local "192.168.200.0/24' inside the network (you can see the diagram)

  The local host have 192.168.200.254 as default gateway.

  I can't add static route to all army and I can't add static route to 192.168.200.254.

  NAT the VPN entering as 192.168.200.1 or a 192.168.200.x free to connect my host correcly?

  If my host sends packet to exit to the default gateway.

  Thank you for your support

  Best regards

  Marco

  The configuration must be applied on the SAA with the 192.168.200.0 subnet it is inside, there must be something like this:

  permit 192.168.1.0 ip access list VPN_NAT 255.255.255.0 192.168.200.0 255.255.255.0

  NAT (outside) X VPN_NAT outside access list

  Global (inside) X Y.Y.Y.Y (where the Y.Y.Y.Y) is the ip address

  If you have other traffic on the vpn through the tunnel that requires no nat, then you must add external nat exemption rules since these lines above obliges all traffic through the asa to have a nat statement.

  See if it works for you, else post your config nat here.

• local host to access the vpn site to site with nat static configured

  I have two 881 routers with vpn site to site between them. I have a static nat on the router for a Web server that is accessible from the internet. I can't access the Web server through the vpn. All other traffic is fine its VPN. I think that there is a problem with the NAT. Here are the relevant configuration lines.

  IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
  IP nat inside source static 192.168.150.2 bonnefin map route SDM_RMAP_1

  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 100

  access-list 100 deny ip 192.168.150.0 0.0.0.255 192.168.123.0 0.0.0.255
  access-list 100 permit ip 192.168.150.0 0.0.0.255 any

  You should be able to access the web server with its IP private (192.168.150.2) through the VPN connection.

  If you just add the VPN and the road map, try to clear the existing translation and see if you can access it via its private of the Remote LAN VPN ip address.

• VPN site to Site with NAT

  Hello Experts

  We intend to set up a VPN site-to site between two sites, sites, Site & A B such as shown in the attached diagram.

  The LAN on SIte A is 10.8.1.0/24 who are planning to NAT on the ASA5505 to 192.168.42.0/24 because this is the range that is allowed on the firewall on the remote end (Site B ASA 5520)

  What type of configuration requires we on the firewall of the Site regarding the interesting traffic.

  Natted IPs will be the interesting traffic?

  Is there another thing we have in other mind while configuring the ASA for the scenarios.

  Help would be appreciated.

  ACL "crypto-NAT" of my example will be the NAT traffic that source of 10.8.1.0/24 for 10.3.0.0/24 to match 192.168.42.0/24.

  For example:

  10.8.1.1 will be coordinated to 192.168.42.1 when traffic is destined to the 10.3.0.0/24 subnet.

  10.8.1.2 will be coordinated to 192.168.42.2 when traffic is destined to the 10.3.0.0/24 subnet.

  etc etc.

  If you have another remote subnet, you are right, you just add the extra line to the crypto-NAT and crypto-ACL. So, you will have the following lines:

  IP 10.8.1.0 allow Access-list crypto-NAT 255.255.255.0 10.3.0.0 255.255.255.0

  10.8.1.0 IP Access-list crypto-NAT 255.255.255.0 allow 10.5.0.0 255.255.0.0

  Crypto ip 192.168.42.0 access list ACL allow 255.255.255.0 10.3.0.0 255.255.255.0

  Crypto ip 192.168.42.0 access list ACL allow 255.255.255.0 10.5.0.0 255.255.0.0

• A Site with NAT

  Hi all, thanks for looking. I'm a very basic user to a Cisco ASA 5510, I tend to do most of the things in the ASDM GUI interface.

  We need to create a site to site with a client connection. It's pretty easy but there is a caveat, we can use our internal IPS that they already use the range elsewhere. If we gave them two different IP, for example 192.158.22.101 and 192.158.22.102. I created the site to the site using these two survey periods, but these do not exist internally on the machines because they are not IPs on our network, which is using 192.158.44.0.

  The question I have is how can I get the IP addresses 192.158.44.101 and 192.158.44.102 to become 92.158.22.101 and 92.158.22.102 before being sent via this connection. I tried to add the NAT to the object of an IP address related, but I'm obviously missing something.

  The other option, I do not fear to do, is to add a new range of internal IP 192.158.22.0 addresses, but I don't know how do either.

  Any help would be appreciated, I'm really bad here and spent two weeks on this subject already. I searched for it, but it seems that it is either too basic for most people wonder or slightly different, for example, they have control of the two sites.

  Hello

  Add to that dieng said here is the config for NATTING as two IPS 192.158.44.101 and 102:

  network object obj - 192.158.44.101

  Home 192.158.44.101

  network object obj - 192.158.44.102

  Home 192.158.44.102

  object obj -192.158.22.101 network

  Home 192.158.22.101

  object obj -192.158.22.102 network

  host 192.158.22.102

  object obj remote network

  10.x.x.x subnet 255.255.255.0

  You need two NAT statements for this:

  NAT (inside, outside) source dynamic obj - 192.158.44.101 obj -192.158.22.101 destination static obj-remote obj-remote

  nat source (indoor, outdoor) obj dynamic obj - 192.158.44.102 - 192.158.22.102 destination static obj obj-remote control-remote control

  It will be useful.

  Kind regards

  Aditya

  Please evaluate the useful messages.

• VPN site to Site with NAT and Port forwarding on a 871

  Hello

  Could someone please look at the config 871 router attached and tell me where I'm wrong!

  VPNs all work, work, BUT anyone trying to connect to a port that is sent through the VPN port forwarding fails.

  In the config attached Port 3389 (RDP) is sent to an internal server, if you connect to the external interface Internet connection is made and it works well, but if someone tries to connect to the IP address internal to that same server through VPN, it does not.

  We've added commands to stop working on the lines VPN NAT, but these do not seem to work.

  What Miss me?

  Thank you in advance and I will adjudicate all useful responses.

  It is a common problem. Yes you added controls to prevent NAT to work above the tunnel, but your static nat port to port 3389 takes precedence over the generic nat command, and there not all orders top to prevent it is nat would be above the tunnel.

  I wrote an example configuration for this some time, see here for more details:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml

  If all goes well, he explains everything. Note that it is for a general order static host, not a static port that you have, but the concept is exactly the same. Just add a statement roadmap on the end of your static command of the port, and this route map - will reference an ACL that denies are used when going up above the tunnel.

• ASA IPSEC site-to-site with NAT problem

  Hello

  I have what I thought was a simple configuration, but I saw the questions and could use a second set of eyes.

  I have a site-to-site between two locations:

  Site A is 192.168.0.0/24

  Site B is 192.168.4.0/24

  I was requested to NAT all communications between these sites for 10.57.4.0/24 and for a single static 192.168.0.112 NAT host at 10.57.4.50.

  Tunnel is running, and I can ping through the link at the end to 192.168.4.20 host; no problems.   But I'm having a problem application where it will be established communications.  I suspect it's the reverse NAT, but I went through the configuration several times.   All NAT connections would be 10.57.4.50 address should given to 192.168.0.112, no restrictions.    All connections to 192.168.4.20, should be NAT should 10.57.4.50 to transverse tunnel.

  The system of site B can also ping 10.57.4.50.

  Here's the running configuration:

  ASA 8.3 Version (2)

  !

  hostname fw1

  domain name

  activate the password encrypted

  passwd encrypted

  names of

  !

  interface Vlan1

  Description city network internal

  nameif inside

  security-level 100

  IP 192.168.9.1 255.255.255.0

  !

  interface Vlan2

  Description Internet Public

  nameif outside

  security-level 0

  IP 173.166.117.186 255.255.255.248

  !

  interface Vlan3

  DMZ (CaTV) description

  nameif dmz

  security-level 50

  IP 192.168.2.1 255.255.255.0

  !

  interface Vlan5

  PD Network description

  nameif PDNet

  security level 95

  the IP 192.168.0.1 255.255.255.0

  !

  interface Vlan10

  Description Network Infrastructure

  nameif InfraNet

  security-level 100

  IP 192.168.10.1 255.255.255.0

  !

  interface Vlan13

  Description wireless comments

  nameif Wireless-comments

  security-level 25

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan23

  nameif StateNet

  security-level 75

  IP 10.63.198.2 255.255.255.0

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  switchport trunk allowed vlan 1,5,10,13

  switchport trunk vlan 1 native

  switchport mode trunk

  Speed 100

  full duplex

  !

  interface Ethernet0/2

  switchport access vlan 3

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  switchport trunk allowed vlan 1,10,13

  switchport trunk vlan 1 native

  switchport mode trunk

  !

  interface Ethernet0/5

  switchport access vlan 23

  !

  interface Ethernet0/6

  Shutdown

  !

  interface Ethernet0/7

  switchport trunk allowed vlan 1

  switchport trunk vlan 1 native

  switchport mode trunk

  Shutdown

  !

  exec banner restricted access

  banner restricted access connection

  passive FTP mode

  clock timezone IS - 5

  clock to summer time EDT recurring

  DNS server-group DefaultDNS

  domain name

  permit same-security-traffic inter-interface

  network obj_any object

  subnet 0.0.0.0 0.0.0.0

  service of the IMAPoverSSL object

  destination eq 993 tcp service

  IMAP over SSL description

  service of the POPoverSSL object

  tcp destination eq 995 service

  POP3 over SSL description

  service of the SMTPwTLS object

  tcp destination eq 465 service

  SMTP with TLS description

  network object obj - 192.168.9.20

  Home 192.168.9.20

  object obj-claggett-https network

  Home 192.168.9.20

  network of object obj-claggett-imap4

  Home 192.168.9.20

  network of object obj-claggett-pop3

  Home 192.168.9.20

  network of object obj-claggett-smtp

  Home 192.168.9.20

  object obj-claggett-imapoverssl network

  Home 192.168.9.20

  object obj-claggett-popoverssl network

  Home 192.168.9.20

  object obj-claggett-smtpwTLS network

  Home 192.168.9.20

  network object obj - 192.168.9.120

  Home 192.168.9.120

  network object obj - 192.168.9.119

  Home 192.168.9.119

  network object obj - 192.168.9.121

  Home 192.168.9.121

  object obj-wirelessnet network

  subnet 192.168.1.0 255.255.255.0

  network of the Clients_sans_fil object

  subnet 192.168.1.0 255.255.255.0

  object obj-dmznetwork network

  Subnet 192.168.2.0 255.255.255.0

  network of the FD_Firewall object

  Home 74.94.142.229

  network of the FD_Net object

  192.168.6.0 subnet 255.255.255.0

  network of the NETWORK_OBJ_192.168.10.0_24 object

  192.168.10.0 subnet 255.255.255.0

  object obj-TownHallNet network

  192.168.9.0 subnet 255.255.255.0

  network obj_InfraNet object

  192.168.10.0 subnet 255.255.255.0

  network of the NETWORK_OBJ_192.168.0.0_24 object

  192.168.0.0 subnet 255.255.255.0

  network of the NHDOS_Firewall object

  Home 72.95.124.69

  network of the NHDOS_SpotsHub object

  Home 192.168.4.20

  network of the IMCMOBILE object

  Home 192.168.0.112

  network of the NHDOS_Net object

  subnet 192.168.4.0 255.255.255.0

  network of the NHSPOTS_Net object

  10.57.4.0 subnet 255.255.255.0

  network of the IMCMobile_NAT_IP object

  Home 10.57.4.50

  service EmailServices object-group

  Description of e-mail Exchange Services / Normal

  service-object, object IMAPoverSSL

  service-object, object POPoverSSL

  service-object, object SMTPwTLS

  the purpose of the tcp destination eq https service

  the purpose of the tcp destination eq imap4 service

  the purpose of the tcp destination eq pop3 service

  the purpose of the tcp destination eq smtp service

  object-group service DM_INLINE_SERVICE_1

  service-object, object IMAPoverSSL

  service-object, object POPoverSSL

  service-object, object SMTPwTLS

  the purpose of the tcp destination eq pop3 service

  the purpose of the tcp destination eq https service

  the purpose of the tcp destination eq smtp service

  object-group service DM_INLINE_SERVICE_2

  service-object, object IMAPoverSSL

  service-object, object POPoverSSL

  service-object, object SMTPwTLS

  the purpose of the tcp destination eq https service

  the purpose of the tcp destination eq pop3 service

  the purpose of the tcp destination eq smtp service

  the obj_clerkpc object-group network

  PCs of the clerk Description

  network-object object obj - 192.168.9.119

  network-object object obj - 192.168.9.120

  network-object object obj - 192.168.9.121

  the TownHall_Nets object-group network

  object-network 192.168.10.0 255.255.255.0

  network-object object obj-TownHallNet

  the DM_INLINE_NETWORK_1 object-group network

  object-network 192.168.10.0 255.255.255.0

  object-network 192.168.9.0 255.255.255.0

  the DOS_Networks object-group network

  network-object 10.56.0.0 255.255.0.0

  network-object, object NHDOS_Net

  outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 any external interface

  outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any host 192.168.9.20

  StateNet_access_in list extended access permitted ip object-group obj_clerkpc one

  permit access ip 192.168.0.0 scope list PDNet_access_in 255.255.255.0 192.168.10.0 255.255.255.0

  PDNet_access_in list extended access allowed object IMCMobile_NAT_IP object-group DOS_Networks debug log ip

  PDNet_access_in list extended access permitted ip object IMCMOBILE object-group DOS_Networks

  outside_2_cryptomap extended access list permit ip DM_INLINE_NETWORK_1 object FD_Net object-group

  outside_1_cryptomap extended access list permit ip object NHSPOTS_Net object-group DOS_Networks

  pager lines 24

  Enable logging

  Test1 logging level list class debug vpn

  logging of debug asdm

  E-mail logging errors

  address record

  logging level -l errors ' address of the recipient

  Within 1500 MTU

  Outside 1500 MTU

  MTU 1500 dmz

  MTU 1500 Wireless-comments

  MTU 1500 StateNet

  MTU 1500 InfraNet

  MTU 1500 PDNet

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 635.bin

  don't allow no asdm history

  ARP timeout 14400

  NAT (InfraNet, outside) static static source to destination TownHall_Nets TownHall_Nets FD_Net FD_Net

  NAT static TownHall_Nets TownHall_Nets destination (indoor, outdoor) static source FD_Net FD_Net

  public static IMCMOBILE IMCMobile_NAT_IP destination NAT (all, outside) static source DOS_Networks DOS_Networks

  !

  network obj_any object

  NAT static interface (indoor, outdoor)

  object obj-claggett-https network

  NAT (inside, outside) interface static tcp https https service

  network of object obj-claggett-imap4

  NAT (inside, outside) interface static tcp imap4 imap4 service

  network of object obj-claggett-pop3

  NAT (inside, outside) interface static tcp pop3 pop3 service

  network of object obj-claggett-smtp

  NAT (inside, outside) interface static tcp smtp smtp service

  object obj-claggett-imapoverssl network

  NAT (inside, outside) interface static tcp 993 993 service

  object obj-claggett-popoverssl network

  NAT (inside, outside) interface static tcp 995 995 service

  object obj-claggett-smtpwTLS network

  NAT (inside, outside) interface static tcp 465 465 service

  network object obj - 192.168.9.120

  NAT (inside, StateNet) 10.63.198.12 static

  network object obj - 192.168.9.119

  NAT (all, StateNet) 10.63.198.10 static

  network object obj - 192.168.9.121

  NAT (all, StateNet) 10.63.198.11 static

  object obj-wirelessnet network

  NAT (Wireless-Guest, outside) static interface

  object obj-dmznetwork network

  interface static NAT (all, outside)

  network obj_InfraNet object

  NAT (InfraNet, outside) static interface

  Access-group outside_access_in in interface outside

  Access-group StateNet_access_in in the StateNet interface

  Access-group PDNet_access_in in interface PDNet

  Route outside 0.0.0.0 0.0.0.0 173.x.x.x 1

  Route StateNet 10.x.x.x 255.255.0.0 10.63.198.1 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  http server enable 5443

  http 192.x.x.x 255.255.255.0 inside

  http 7.x.x.x 255.255.255.255 outside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set 72.x.x.x counterpart

  map outside_map 1 set of transformation-ESP-3DES-MD5 crypto

  card crypto outside_map 2 match address outside_2_cryptomap

  card crypto outside_map 2 set pfs

  card crypto outside_map 2 peers set 173.x.x.x

  card crypto outside_map 2 game of transformation-ESP-3DES-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  Telnet 192.168.9.0 255.255.255.0 inside

  Telnet timeout 5

  SSH 192.168.9.0 255.255.255.0 inside

  SSH timeout 5

  Console timeout 0

  dhcpd dns 208.67.222.222 208.67.220.220

  dhcpd lease 10800

  dhcpd outside auto_config

  !

  dhcpd address dmz 192.168.2.100 - 192.168.2.254

  dhcpd dns 8.8.8.8 8.8.4.4 dmz interface

  dhcpd enable dmz

  !

  dhcpd address 192.168.1.100 - 192.168.1.254 Wireless-comments

  dhcpd enable Wireless-comments

  !

  a basic threat threat detection

  a statistical threat detection host number rate 2

  statistical threat detection port

  Statistical threat detection Protocol

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  NTP server 63.240.161.99 prefer external source

  NTP server 207.171.30.106 prefer external source

  NTP server 70.86.250.6 prefer external source

  WebVPN

  attributes of Group Policy DfltGrpPolicy

  internal FDIPSECTunnel group strategy

  attributes of Group Policy FDIPSECTunnel

  VPN-idle-timeout no

  Protocol-tunnel-VPN IPSec l2tp ipsec

  support for username password encrypted privilege 15

  tunnel-group 72.x.x.x type ipsec-l2l

  72.x.x.x group of tunnel ipsec-attributes

  pre-shared key *.

  tunnel-group 173.x.x.x type ipsec-l2l

  tunnel-group 173.x.x.x General-attributes

  Group Policy - by default-FDIPSECTunnel

  173.x.x.x group of tunnel ipsec-attributes

  pre-shared key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns migrated_dns_map_1

  parameters

  message-length maximum 1024

  Policy-map global_policy

  class inspection_default

  inspect the migrated_dns_map_1 dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  inspect the icmp

  !

  global service-policy global_policy

  192.168.9.20 SMTP server

  context of prompt hostname

  call-home

  Profile of CiscoTAC-1

  no active account

  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

  email address of destination [email protected] / * /

  destination-mode http transport

  Subscribe to alert-group diagnosis

  Subscribe to alert-group environment

  Subscribe to alert-group monthly periodic inventory

  monthly periodicals to subscribe to alert-group configuration

  daily periodic subscribe to alert-group telemetry

  Cryptochecksum:ad0f9ad192c3ee212172f5b00b12ce76

  : end

  If you do not have access to the remote site, you participate themselves to network and compare each other configurations.  You will need to make sure that they see as 10.57.4.50 192.168.0.112 and their server responds to that and NOT the 192.168.0.112.

• Validation of the IOS VPN peer identity IP with NAT - T

  I just lost a lot of time to understand this behavior of the IOS. My conclusion reached: If you work with the good old peer identity address validation in profiles ISAKMP and the peer you are talking about is located behind a NAT, you must use the private IP address of the peer in the command "adapter address of the identity". I thought that NAT - T takes care of the translation in all sections of required configuration, but here especially, seems not so much. The interesting thing is that for all other orders, you must use the public IP address.

  See the following example (showing only the relevant articles with statements by peer inside):

  door-key crypto OUR_KEYRING

  key pre-shared key address 1.2.3.4

  Crypto isakmp PROFILE_NAME profile

  VRF TEST

  key ring OUR_KEYRING

  function identity address 192.168.99.5 255.255.255.255

  OUR_MAP 6 ipsec-isakmp crypto map

  defined peer 1.2.3.4

  the value of PROFILE_NAME isakmp-profile

  Does anyone know if this is normal or if it is a bug? It would be useful and consistent if NAT - T changed the identity of the peer address during the phase 1 negotiation, then we would not deal with peer private addressing within site to site VPN configs. I also think of IP scenarios that overlap that may occur when you work with dealing with private peer.

  See the release of relevant debugging in the attachment, after documenting a failed connection attempt (using the public, NATted IP of the peer in the command 'fit the address of identity') and once a following connection attempt (using the IP private, internal counterpart).

  My router is a C2951 with IOS 15.3 (2) T2. The counterpart is an ASA (version & unknown config so far, but I'm sure that the other engineer did not indicate what it is using a private address in its config, despite my session from behind a NAT router, too).

  Thank you & best regards

  Toni

  Toni,

  Problem with identity is that it is an encrypted package (in Exchange MM) so cannot be changed in transit, so that a host may not know reliably it is the external IP address (it can make assumptions, but he doesn't know how long it is valid for).

  Also if you "NAT 'd" identity you can't the difference between two devices behind same NAT/PAT on end of answering machine.

  There are some implmentations IKE allowing IKE to identity type and value to specify manually. IOS not among them.

  Yes decouple us identity and peer of the intellectual property, it adds flexability with a few corner cases which may arrise.

  Yet another reason why NAT is evil?

  M.

• VPN Hub and Spoke with NAT

  Hello! I have a VPN network star topology, I need configuration for our customers to access. I have 3 points of endpoint in this example: VPN, Pix 515e and Linksys RV042 hub. The hub is the site of our parent company, the Pix 515e is our data center and the RV042 is at the customer's site. What I currently have is a VPN connection between our Pix 515e and the hub, and another between our Pix 515e and the RV042 VPN. What I need is for the server on the client (RV042) site to talk to the hub network via our Pix 515e. I also need to be coordinated traffic so it looks like it's from the same subnet on our Pix 515e to the hub.

  Hub (MEAN): 10.1.6.x

  PIX 515e (HUB): 172.16.3.x

  RV042 (SPOKEN): 192.168.71.x

  PIX 515e (HUB):

  Outside - 12.34.56.78

  Interior - 172.16.1.1

  Hub (TALK):

  Outside - 87.65.43.21

  Interior - 10.1.6.1

  RV042 (SPOKEN):

  Outside - 150.150.150.150

  Interior - 192.168.71.1

  The hub allows all traffic to my Pix 515e on subnet 172.16.3.x and vice versa. The RV042 allows all traffic from 172.16.3.x to talk to 192.168.71.x and vice versa. I need to get 192.168.71.5 on RV042 network 10.1.6.x the network hub through the Pix 515e and make it look like its 172.16.3.71 entry. So I need NAT traffic in the tunnel to another tunnel. Attached config running under the direction of privacy. Any help is greatly appreciated.

  On PIX you need a static policy statement,

  NAT list allowed access host ip 192.168.71.5 10.1.6.0 255.255.255.0

  public static 172.16.3.71 (external, outside) 192.168.71.5 nat access list

  And modify the ACL of appropriately crypto to include natted address.

• I need VPN gateway to gateway with NAT for several subnets, RV082

  I have a pair of RV082 routers and I would like to configure a gateway to gateway VPN tunnel, as described in a book, "How to configure a VPN tunnel that routes all traffic to the remote gateway," (name of file Small_business_router_tunnel_Branch_to_Main.doc).  I followed this recipe book and found that my while the main office has internet connectivity, the branch subnet is not an internet connection.

  Routing behaves as advertised, where all traffic goes to the seat.  However, the 192.168.1.0 subnet in the branch receives no internet connectivity.  I read in other posts that the main router will provide only NAT for the local subnet, not the Management Office subnet.  Is it possible to configure the RV082 router to provide NAT for all subnets?

  If this is not the case, what product Cisco will provide connectivity VPN Tunnel as well as the NAT for all subnets?  The RV082 can be used as part of the final solution or are my RV082s a wasted expense?

  Here is the configuration that I had put in place, (real IP and IKE keys are false).

  Bridge to bridge

  Remote Head Office

  Add a new Tunnel

  No de tunnel                  1                                               2

  Name of the tunnel:, n1 n1-2122012_n2-1282012-2122012_n2-1282012

  Interface: WAN1 WAN1

  Enable :                   yes                                             yes

  --------------------------------------------------------------------------------

  Configuration of local groups

  Type of local security gateway: IP only IP only

  IP address: 10.10.10.123 10.10.10.50

  Local security group type: subnet subnet

  IP address: 192.168.1.0 0.0.0.0

  Subnet mask: 255.255.255.0 0.0.0.0

  --------------------------------------------------------------------------------

  Configuration of the remote control groups

  Remote security gateway type: IP only IP only

  IP address: 65.182.226.50 67.22.242.123

  Security remote control unit Type: subnet subnet

  IP address: 0.0.0.0 192.168.1.0

  Subnet mask: 0.0.0.0 255.255.255.0

  --------------------------------------------------------------------------------

  IPSec configuration

  Input mode: IKE with preshared key IKE with preshared key

  Group of the phase 1 of DH: Group 5 - 1536 bit group 5 - 1536 bit

  Encryption of the phase 1: of THE

  The phase 1 authentication: MD5 MD5

  Step 1 time in HIS life: 2800 2800 seconds

  Perfect Forward Secrecy: Yes Yes

  Group of the phase 2 DH: Group 5 - 1536 bit group 5 - 1536 bit

  Encryption of the phase 2: of THE

  Phase 2 of authentication: MD5 MD5

  Time of the phase 2 of HIS life: 3600 seconds 3600 seconds

  Preshared key: MyKey MYKey

  Minimum complexity of pre-shared key: Enable Yes Enable

  --------------------------------------------------------------------------------

  If you are running 4.x firmware on your RV082, you must add an additional Allow access rule for the Branch Office subnet (considered one of the multiple subnets in the main office) may have access to the internet. Note the firmware version has more details about it.

  http://www.Cisco.com/en/us/docs/routers/CSBR/rv0xx/release/rv0xx_rn_v4-1-1-01.PDF

• PIX v6.3 Site-to-Site with policy NAT

  Hi guys,.

  I need to set up a site to site with nat because we have overlapping subnet at the other end.

  They need access to both servers on our network with IP static.

  Site A: 192.168.100.0/24

  Site b: 192.168.200.128/25

  The other site has chosen this network for NAT: 10.200.50.0/28

  I need to translate

  192.168.100.10 > 10.200.50.2

  192.168.100.20 > 10.200.50.3

  through the tunnel

  That's what I've done so far, will this work? Any problem that may appear with this config?

  Crypto ACL:

  VPN ip 10.200.50.0 access list allow 255.255.255.240 192.168.200.128 255.255.255.128

  Policy_NAT1 list of allowed access host ip of 192.168.100.10 192.168.200.128 255.255.255.128

  Policy_NAT2 list of allowed access host ip 192.168.100.20 192.168.200.128 255.255.255.128

  NAT (inside) 10 access-list Policy_NAT1 0 0

  NAT (inside) 11 access-list Policy_NAT2 0 0

  overall 10 10.200.50.2 (outside)

  Overall 11 10.200.50.3 (outside)

  Thanks in advance!

  Hello

  Your configuration looks very good.

  Although I guess it's a dynamic configuration policy NAT/PAT.

  Incase you want to configure static policy NAT, you need to change a bit. I mean if you wanted a NAT configuration allowing to form bidirectional connection. Both from your site to the remote site and the remote site to your side. You can always use the same ACL you have configured, but you would use the "static" configurations.

  public static 10.200.50.2 (inside, outside) - Policy_NAT1 access list

  public static 10.200.50.3 (inside, outside) - Policy_NAT2 access list

  Review with the static NAT to politics and the dynamic policy NAT/PAT which would be if these hosts have static NAT configured at the direction of the 'outside' interface while static NAT would cancel both of these configurations.

  If you use the political dynamic NAT and had also a static NAT for the host, then you would have to change from the above static NAT in a policy to override the static NAT.

  And with the foregoing in mind possible existing static NAT and new static NAT of policy might have some problems as a whole. In this case the scheduling of NAT rules would determine if static NAT of the policy has been applied already. If you already had the configured static NAT then it would nullify the political new static NAT:. The solution would be to remove the static NAT and enter it again. This would move the static NAT once the static NAT to policy in the order that they appear on the CLI format configuration and, therefore, static political NAT would work for the specified destination and addresses the static NAT for all other destination addresses.

  Hope I made any sense

  Feel free to ask more if necessary while

  -Jouni

• Cisco 877 + VPN Site to Site

  Hello

  I'm new im this forum.
  I've set up a Site VPN site with 2 Cisco 877.

  SITE A:

  Address IP Adreess public: static
  Internal IP Adrees: 192.168.0.XXX
  Mask: 255.255.255.0

  SITE B:

  IP address public Adreess: Dynamics
  Internal IP address: 192.168.2.XXX
  Mask: 255.255.255.0

  I managed to do a ping on both sides, but I can't access file shares, and could rdp on any server in site A, by the internal IP address.

  Fix, is the SITES A and B SITE startup configs.

  Could you please someone help me?

  Hi Marcos,

  Really happy to know that the problem is solved. There is no need to apologize. Please mark this message as answered if there is nothing more.

  Rregards,

  Assia

• 2 one-Site VPN Cisco 2801 and with crossing NAT

  Hi guys,.

  I would like to configure two Cisco 2801 using IPSEC/IKE. Both routers are connected to the internet through DSL lines. The DSL line have RFC1918 address side LAN where routers connected to the internet face. I can do NAT on DSL modems.

  Cisco IOS 2801 routers allow to configure site-2-site VPN with NAT crossing?

  Here is a model of physics/IP configuration:

  LAN<->2801 Modem DSL<-Internet->DSL modem<-Priv ip-=""> 2801<-Priv ip-=""><-> LAN

  Thank you

  Gonçalo

  Yes, you're good to go only if one or both of the sites has an IP address which is natted with private IP address statically. The implementation of IPSec on SRI NAT support in most crosses so that shouldn't be a concern

• Can VPN site-to-site with just 1 static IP address in PIX?

  Hi all

  Can I use pix for VPN with just 1 static IP address as follows:

  LAN-A---PIX1---INTERNET---PIX2---LAN-B

  Just PIX1 has static IP, PIX2 use DHCP from ISP. I have the config this type of VPN with another brand equipment. But the use of PIX, I just VPN config with both ends have a static IP and I can't find any information in the web site. Because when config VPN site-to-site I have to use the command 'same game '.

  Can someone tell me how can I do with PIX? Thank you!

  Best regards

  Teru Lei

  You just need to set up a dynamic encryption on PIX 1 card and a card standard encryption with a peer 'set' on 2 PIX. Here is an example configuration:

  http://www.Cisco.com/warp/public/110/dynamicpix.html

  Note that it also has VPN connection clients in 1 PIX (Lion), so forget all orders of "vpngroup" that you see in his configuration cause, they are not necessary for your scenario.