VPN site to Site with the IP address range internal Natting?
This is our real internal LAN address: 10.40.120.0/26 (internal range) and I want to translate to
Translated the address: 10.254.9.64.255.255.255.192 (Internal)
Our remote local address is: 10.254.5.64 site 255.255.255.192(Remote adresse Ip interne ajouter plage)
Based on the above parameters I did this configuration
outside_cryptomap ip 10.254.9.64 access list allow 255.255.255.192 10.254.5.64 255.255.255.192
policy-nat of ip 10.40.120.0 access list allow 255.255.255.192 10.254.5.64 255.255.255.192
public static 10.254.9.64 (inside, outside) - list of access policy-nat
I had all the phase 1 and Phase 2 required parameters and add public ip peer.
I had set up vpn by using ASDM before but this scenario is new for me, all I was wondering is there anything I need to properly configure Setup VPN
If you see TX increases but not RX which means that traffic is sent to the remote end however there is no response.
I suggest that you check with the remote end of VPN to see where is the problem. It is very probably the remote side.
Tags: Cisco Security
Similar Questions
-
VPN does not work with the ip address of overlap?
When I plugged my adsl router and I have ip address is 10.1.1.1/8 can I use remote access vpn closing on firewall and authentication works very well and I put the ip address of the pool is 10.7.0.1/16 but I can not access this local lan if I made up of my pc and got 2x2.102.x.y ip address then I connected I can't access no problem local network and vpn remote access authentication.
It is question of routing on pc with overlapping ip or not?
Please clarify or provide useful link
Thank you
Hello
It seems that it is a problem of nat - t.
Make sure that the head of VPN network has "isakmp nat - t" (if that's a PIX). If a hub, make sure that "IPsec NAt - T" is enabled.
Additionally, make sure that on the client, "Enable Transparent tunneling" is checked, with IPSec over UDP NAT/PAT selected.
HTH,
-Kanishka
-
Dear Experts,
If we have 2 remote sites with the same shared storage, can mount us a drive on remote site?
- Assume that the oracle database is on the shared disk (for example HP 3PAR)
- Primary Oracle server with storage as a common drive (storage shared on sites geographical apart) have all the files database.
- failure, it is possible to mount the drive even at the remote site and mount the database oracle it?
There must be no effect on the as it should the same disk that has dismantled master site.
Thank you and best regards,
IVW
Thanks a lot mseberg
Is it a design valid ?
- We have remote sites and want to set up DR. As we only SE pare data is therefore no choice.
- We think of the SAN replication option.
Have you ever seen / configured such architecture or design?
Can you please throw some light on this. Thanks in advance for your ideas.
Thank you best regards &,.
IVW
-
It is a nightmare. Absolute total nightmare. Like a fool, I went to San Luis Obispo staples and bought Adobe Photoshop elements Adobe Premiere elements 14 and 14. I logged on to your Web site with the redemption code and received your serial number. Of course, he did not. Any of you have ideas.
What is the error message?
It is unacceptable to permit http://helpx.adobe.com/creative-suite/kb/error-serial-number-valid-product.html
-
I created a tab panel and applied some styles to tabs. (Drop shadow and change the stacking order so that each tab casts a shadow on that below.) Now everytime the page loads, it will default to the lower tab. The only suggestion that I've seen is to save and load the site with the desired tab is selected and 'active'. This does not seem to solve the problem.
Hmmm, have you looked into this widget from MuseGrid? It looks like roughly what it takes for this?
-
Impossible to connect a network drive by name of host but able to match with the ip address
is the act as an application server and the file server. We use it as normal, but it is suddenly unable to resolve host name for other machines. All servers and workstations are not able to map the drive network under
with the name of host, but every server and workstation still able to map the network drive with the IP address. When we try to connect the network drive with the host name, it invites with the error shows that there is error authorizcation.
We tried and discover a few points as below for your reference:
- Able to ping and resolve the hostname via all other servers and workstations.
- Able to access
the Terminal Server service name - Able to network with the IP address drive
- Power of the card
itself with the host name
Hello
The question you posted would be better suited in the TechNet Forums. I would recommend posting your query in the TechNet Forums.
http://social.technet.Microsoft.com/forums/en-us/categories/
-
Why have I not spam with the email address for the answer
Hello
I posted this because I have a little problem, I Hotmail to send and receive e-mail messages in the 'Sent' folder there are the email address which I replied to and reply with the e-mail address, for example:
Sent Reply:
* E-mail address is removed from the privacy * Yo * address email is removed from the privacy *
* E-mail address is removed from the privacy * Hello * address email is removed from the privacy *
If features Yo, Hi and Hello new features for Hotmail replies that it is something, but have the answer (in the 'Sent' folder) with the email address is another, any help on this, please?
Thank you
Sincerely,
Frampton rocks
Hello
I'm sorry, but we cannot help with hotmail problems in these forums in response to vista
Please repost your question in hotmail in the hotmail link below forums
http://windowslivehelp.com/product.aspx?ProductID=1
ForumsConsult with Microsoft Certified Solutions____________________________________________For the different Forums for Windows Live Applications, select the link belowWelcome to Windows Live Solution Center -
VPN site to Site with the possibility to dial Back-Up
Hello
Our network currently uses a lot of Frame-Relay links, for these connections, we use the Cisco 1720 with dial back-up on analog line in case the fials Frame-Relay.
I am looking for a way to site to site VPN connection and have always the possibility to dial emergency failure of the ISP. We currently have a Cisco Pix 515E who would host connections, what would be my best option on the side of Management Office? Firewalls PIX or Cisco 1720 with modules of VPN, perhaps a combination of the two? Which would be safer?
Thank you in advance for any help you provide.
Mauro
Mauro,
Do you want to replace EN with VPN links and then save the VPN with ISDN, or keep the FR, retreating to VPN, then falling back to ISDN?
Whatever it is, the way to go is to use a dynamic routing on the EN and the VPN Protocol, so when a link fails the IP routing protocol address reconverges. This way you can always trigger the ISDN with a static route floating.
EIGRP (or any other dynamic routing protocol) to via the VPN to allow multicasting neighbourgh through a GRE tunnel.
-
ASA VPN Site to Site (WITH the NAT) ICMP problem
Hi all!
I need traffic PAT 192.168.1.0/24 (via VPN) contact remote 151.1.1.0/24, through 192.168.123.9 router in the DMZ (see diagram)
It works with this configuration, with the exception of the ICMP.
This is the error: Deny icmp src dmz:151.1.1.1 dst foreign entrants: 192.168.123.229 (type 0, code 0)
Is there a way to do this?
Thank you all!
Marco
------------------------------------------------------------------------------------
ASA Version 8.2 (2)
!
ciscoasa hostname
domain default.domain.invalid
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
name 192.168.1.0 network-remote control
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.200.199 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
the IP 10.0.0.2 255.255.255.0
!
interface Vlan3
prior to interface Vlan1
nameif dmz
security-level 0
192.168.123.1 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
passive FTP mode
DNS server-group DefaultDNS
domain default.domain.invalid
the DM_INLINE_NETWORK_1 object-group network
object-network 151.1.1.0 255.255.255.0
object-network 192.168.200.0 255.255.255.0
outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_1 remote ip 255.255.255.0 network
inside_nat0_outbound to access extended list ip 192.168.200.0 allow 255.255.255.0 255.255.255.0 network-remote control
VPN_NAT list extended access allow remote-network ip 255.255.255.0 151.1.1.0 255.255.255.0
dmz_access_in list extended access permit icmp any one
outside_access_in list extended access permit icmp any one
pager lines 24
Enable logging
notifications of logging asdm
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all dmz
ASDM image disk0: / asdm - 625.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global (dmz) 5 192.168.123.229
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 192.168.200.0 255.255.255.0
NAT (outside) 5 VPN_NAT list of outdoor access
Access-group outside_access_in in interface outside
Access-group dmz_access_in in dmz interface
Route outside 0.0.0.0 0.0.0.0 10.0.0.100 1
Dmz route 151.1.1.0 255.255.255.0 192.168.123.9 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 0.0.0.0 0.0.0.0 inside
remote control-network http 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
card crypto outside_map 1 set peer 10.0.0.1
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
------------------------------------------------------------------------------------Review the link, you have two ways to leave outgoing icmp, good acl or icmp inspection
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
-
Hi all
My apologies if this is a trivial question, but I spent considerable time trying to search and had no luck.
I encountered a problem trying to set up a temporary L2L VPN from a Subscriber with CISCO2911 sitting behind the router of the ISP of an ASA. ISP has informed that I can't ignore their device and complete the circuit Internet on the Cisco for a reason, so I'm stuck with it. The Setup is:
company 10.1.17.1 - y.y.y.y - router Internet - z.z.z.z - ISP - LAN - 10.x.x.2 - XXX1 - ASA - 10.1.17.2 - CISCO2911 - 10.1.15.1 LAN
where 10.x.x.x is a corporate LAN Beach private network, y.y.y.y is a public ip address assigned to the external interface of the ASA and the z.z.z.z is the public IP address of the ISP router.
I have forwarded ports 500, 4500 and ESP on the ISP router for 10.1.17.2. The 2911 config attached below, what I can't understand is what peer IP address to configure on the SAA, because if I use z.z.z.z it will be a cause of incompatibility of identity 2911 identifies himself as 10.1.17.2...
! ^ ^ ^ ISAKMP (Phase 1) ^ ^ ^!
crypto ISAKMP policy 5
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
isakmp encryption key * address no.-xauth y.y.y.y! ^ ^ ^ IPSEC (Phase 2) ^ ^ ^!
crymap extended IP access list
IP 10.1.15.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
Crypto ipsec transform-set ESP-3DES-SHA 3rd-esp esp-sha-hmac
card crypto 1 TUNNEL VPN ipsec-isakmp
defined peer y.y.y.y
game of transformation-ESP-3DES-SHA
match the address crymapGi0/2 interface
card crypto VPN TUNNELHello
debug output, it seems he's going on IPSEC States at the tunnel of final bud QM_IDLE's.
What I noticed in your configuration of ASA box, it's that you're usig PFS but not on 2911 router.
So I suggest:
no card crypto OUTSIDE_map 4 don't set pfs <-- this="" will="" disable="" pfs="" on="" asa="">-->
Then try tunnel initiate.
Kind regards
Jan
-
Site to Site with the subnets overlap
Hi all
Search for comfirmation on what is / is not possible. In short, we have a requirement of site but our local LAN varies from conflict. I am aware of how this get up and running with the help of a pool of IP addresses that is a basic ASA/IOS device can NAT behind but I wonder if it is possible to NAT behind a single IP address. NAT is also in place for the general internet traffic, but I hope that the image attached best describes our scenario.
Any help / advice appreciated.
Kind regards
Martyn
Hello
You will need to do NAT on both ends to get the installation work.
With these types of configurations, I more often just a 24 natted network to 24 another network on both sites.
You can configure one of the sites use a PAT address towards the other end, but the other end must have protected by some sort of NAT static between the hosts unique or equal to 24 networks.
If you would happen to configure both sites with a PAT translation, you couldn't really initiate connections between the site because no real host on networks 192.168.1.0/24 would have their own specific NAT IP to connect to.
So in short
- Both sites need NAT network
- Use 1:1 NAT static is between host addresses or complete networks on both sites
- The two sites could start the connection to any host on the remote end every single host has its own IP NAT staticly assigned address
- Use of PAT for site and other NAT static 1:1 with the addresses of host or complete networks on the other site
- Site with unique PAT IP address can connect to all hosts of remote sites, since they have staticly NAT IP addresses assigned.
- Homepage is not able to connect to any host at his remote site that the remote site has only a PAT address facing their way.
If you had 2 ASAs with 8.2 or UNDER software your static NAT configurations could be e.g.
Basic information
- Site1: 192.168.1.0/24
- Site1 NAT: 10.10.1.0/24
- Site2: 192.168.1.0/24
- Site2 NAT: 10.10.2.0/24
Static configuration NAT of policy site1
permit L2L-VPN-POLICYNAT from the list of access ip 192.168.1.0 255.255.255.0 10.10.2.0 255.255.255.0
public static (inside, outside) 10.10.1.0 - L2L-VPN-POLICYNAT access list
Static configuration NAT of policy site2
permit L2L-VPN-POLICYNAT from the list of access ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0
public static (inside, outside) 10.10.2.0 - L2L-VPN-POLICYNAT access list
PAT configuration at each end
permit L2L-VPN-POLICYPAT from the list of access ip 192.168.1.0 255.255.255.0 10.10.x.0 255.255.255.0
Global 10.10.x.1 of xxx (outside)
NAT (inside) xxx access-list L2L-VPN-POLICYPAT
If you had 2 ASAs with 8.3 or above software your static NAT configurations could be for example (same information base)
Static configuration NAT of policy site1
the object of the LAN network
subnet 192.168.1.0 255.255.255.0
network of the LAN - NAT object
10.10.1.0 subnet 255.255.255.0
network of the REMOTE object
255.255.255.0 subnet 10.10.2.0
static (inside, outside) 1 static source LAN LAN - NAT static destination REMOTE
Static configuration NAT of policy site2
the object of the LAN network
subnet 192.168.1.0 255.255.255.0
network of the LAN - NAT object
255.255.255.0 subnet 10.10.2.0
network of the REMOTE object
10.10.1.0 subnet 255.255.255.0
static (inside, outside) 1 static source LAN LAN - NAT static destination REMOTE
PAT configuration at each end
the object of the LAN network
subnet 192.168.1.0 255.255.255.0
network of the LAN-PAT object
Home 10.10.x.1
network of the REMOTE object
10.10.x.0 subnet 255.255.255.0
static (inside, outside) 1 dynamic source LAN LAN-PAT destination static REMOTE
-Jouni
-
If I go on a site with video, it stops, and a sound is heard. It crashes sometimes. These are the messages I had
Stop: OxOOOOO8E (Ox805BC1E9, OxBA287c7c, OxcOOOOOO5, OXOOOOOOOO)
ALSO
BCCode: 1000008e BCP1: C0000005 BCP2: 805BC1E9 BCP3: BA287C7C
BCP4: 00000000 OSVer: 5_1_2600 SP: 3_0 product: 256_1Please provide additional information on your system:What is your system brand and model?What is your version of XP and the Service Pack?Describe your current antivirus and software anti malware situation: McAfee, Norton, Spybot, AVG, Avira!, Defender, ZoneAlarm, PC Tools, MSE, Comodo, etc..Click Start, run and enter in the box:Msinfo32Click on OK and when the system info summary appears, click on Edition, select all, copy, and then paste the information here.For information about video drivers, expand components, click view, click on edit, select all, copy and then paste the information here.For more audio information, expand components, click on Sound Device, click on edit, select all, copy and then paste the information here.There will be some personal information (such as the user name and the name of the system), and anything that turns information private for you, simply delete the pasted information.This will minimize back Q & A and eliminate guesswork.Download BlueScreenView here:Unzip it and run it (BSV installs nothing) and let him complete the digitization of all of your files to dump.If you double-click on depressed, you will get information on it (including the field caused by the driver) and you should be able to spot the problem right away - especially if you see a model in landfills where Caused by field pilot is the same (beginning with this driver).Select (highlight) one or more of the most recent dump files by clicking on them and hold down the CTRL key to select multiple files. Try to select only the most recent links that relate to your problem (perhaps five or six to start dump files).Click on file, save selected items and save information from the dumps to a text file on your desktop called BSOD.txt. Open BSOD.txt with a text editor, copy the text and paste it in your next reply.Here's an example of report ASB to a single BSOD I initiated on purpose that indicates the cause of the accident as the pilot i8042prt.sys belonging to Microsoft Corporation:==================================================Dump file: Mini062110 - 01.dmpCrash time: 21/06/2010-11:51:31Bug Check String: MANUALLY_INITIATED_CRASHBug check code: 0x000000e2Parameter 1: 0x00000000Parameter 2: 0x00000000Parameter 3: 0x00000000Parameter 4: 0x00000000Caused by the driver: i8042prt.sysCaused by the address: i8042prt.sys + 27fbDescription of the file: i8042 Port driverProduct name: Microsoft® Windows® Operating SystemCompany: Microsoft CorporationFile version: 5.1.2600.5512 (xpsp.080413 - 2108)Processor: 32-bitComputer name:Full path: C:\WINDOWS\minidump\Mini062110-01.dmp==================================================Send information from 5 last memory dumps.No matter what you use for protection against malware, please follow these steps:Download, install, update and do a full scan with these free malware detection programs:Malwarebytes (MMFA): http://malwarebytes.org/SUPERAntiSpyware: (SAS): http://www.superantispyware.com/It can be uninstalled later if you wish.Do not guess what the problem might be - understand and resolve it. I need YOUR voice and the points for helpful answers and propose responses. I'm saving for a pony!
-
A web site with the IIS configuration network location
Is there information on how to set up a web site to a network location. I have a shared directory of Mac that I have access to my Windows Vista pc. I have a Server IIS Web on this PC and want to test the Mac files with the IIS Web server on the Windows computer. I created a site in IIS and pointed on the shared drive, this resulted in an error: cannot read the web.config configuration file. I tried a different approach: create a local site to wwwroot, then create a virtual directory. This brought the same error: the requested page cannot be accessed because the configuration data of the page are invalid. I have IIS 7 on Windows Vista Business Edition.
Hello
Your question of Windows Vista is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the public on the forums of IIS. Please post your question in the following link for assistance:
Link to the forum:
-
How to implement multi-site with the same URL field in the ATG
Hi guys,.
I have a multisite transposition obligation with the same url domain but ATG does not support same domain URL for multisite. Can someone please help me with this problem?
Thank you
Vivek
As I said use custom filters to read the parameter when the user clicks on the link for the site of CA and set the site context.
You can store a cookie that determines the site for subsequent applications.
Peace
Shaik
-
So I have a macbook pro - and she advised me that I had to update my Adobe flash player. So I go through all the steps and I'm stuck at the last stage, where he asks me my user name and password. I go in there correctly - several times and it does NOT connect. He shakes to show that there's an error. Double check my file AND I go to the Adobe site to connect with the same information. and it works very well.
WHAT IS THE PROBLEM? Help please.
Could you please try ComputerName administrator as username and the password as password.
I hope this works.
Concerning
Hervé Khare
Maybe you are looking for
-
I have problems with my Internet Service providers, BT: and I wanted to clarify something. I have a MacPro: a model 1.1, connected to my router with an ethernet cable. As I write, there are two "extra" internal drives One of the disks is storage fo
-
Tutorial of 2014 VeriStand missing Info
The tutorial VeriStand 2014 said to add a custom flag called "Helicopter (3dView)" which is a LabVIEW control 3D image containing a 3D animation of the helicopter which is based on this tutorial. However, it doesn't tell you how to add a custom indi
-
How is it that windows movie maker has prepared a video for playback quality
It was not used to do but now she prepares to video for playback quality, I don't want to I know that sounds strange, but it takes forever to do if there is a lot of videos or if the video is long so how can I disable this function I updated and sinc
-
Upgrade Vista Home Basic to Vista Business w/service pack 1... Vista upgrade disk is a DVD of Microsoft licenses, requiring that a product of Volume (turnkey) license... During installation, there is no demand for the product key... installation star
-
When I started this morning normal Windows 7 screen appeared with the icons of users more a messagebox saying that access Connectioins couldn't be read because missing or it was corrupted. I rebooted and tried to enter the service mode by pressing F8