VPN with NAT Interface
Hello
I am trying to set up a VPN between a VLAN I have defined and another office. I have been using nat on the interface for internet access with a NAT pool.
I created the VPN with crypto card and the VPN is successfully registered.
The problem I encounter is that with NAT is enabled, internet access is working but I can ping through the VPN.
If I disable NAT, VPN works perfectly, but then him VLAN cannot access the internet.
What should I do differently?
Here is the config:
Feature: 2911 with security package
Local network: 10.10.104.0/24
Remote network: 192.168.1.0/24
Public beach: 65.49.46.68/28
crypto ISAKMP policy 104
BA 3des
preshared authentication
Group 2
lifetime 28800
ISAKMP crypto key REDACTED address 75.76.102.50
Crypto ipsec transform-set esp-3des esp-sha-hmac strongsha
OFFICE 104 ipsec-isakmp crypto map
defined by peer 75.76.102.50
Set transform-set strongsha
match address 104
interface GigabitEthernet0/0
IP 65.49.46.68 255.255.255.240
penetration of the IP stream
NAT outside IP
IP virtual-reassembly
full duplex
Speed 100
standby mode 0 ip 65.49.46.70
0 6 2 sleep timers
standby 0 preempt
card crypto OFFICE WAN redundancy
interface GigabitEthernet0/2.104
encapsulation dot1Q 104
IP 10.10.104.254 255.255.255.0
IP nat pool wan_access 65.49.46.70 65.49.46.70 prefix length 28
overload of IP nat inside source list 99 pool wan_access
access-list 99 permit 10.10.104.0 0.0.0.255
access-list 104. allow ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104. allow ip 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255
access-list 104 allow icmp 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 allow icmp 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255
ISAKMP crypto #sh her
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
65.49.46.70 75.76.102.50 QM_IDLE 1299 ACTIVE
Hello!
Please, make these changes:
extended Internet-NAT IP access list
deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
IP 10.10.104.0 allow 0.0.0.255 any
IP nat inside source list Internet-NAT pool access-wan overload
* Please do not remove the old NAT instance until you add that above.
Please hold me.
Thank you!
Sent by Cisco Support technique Android app
Tags: Cisco Security
Similar Questions
-
Remote host IP SLA ping by tunnel VPN with NAT
Hi all
I did some research here, but don't drop on similar issues. I'm sure that what I want is not possible, but I want to make sure.
I want to monitor a remote host on the other side a VPN. The local endpoint is my ASA.
The local INSIDE_LAN traffic is NATted to 10.19.124.1 before entering the VPN tunnel.
Interesting VPN traffic used ACL card crypto:
access-list 1 permit line ACL_TUNNELED_TO_REMOTE extended ip host 10.19.124.1 192.168.1.0 255.255.255.0
NAT rules:
Global (OUTSIDE) 2 10.19.124.1 mask 255.255.255.255 subnet
NAT (INSIDE_LAN) 2-list of access ACL_NAT_TO_REMOTE
NAT ACL
access-list 1 permit line ACL_NAT_TO_REMOTE extended ip 172.19.126.32 255.255.255.224 192.168.1.0 255.255.255.0
This configuration works very well for traffic from hosts in 172.19.126.32 255.255.255.224 is 192.168.1.0 255.255.255.0.
However, I like to use "ip sla" on the SAA itself to monitor a remote host with icmp ping 192.168.1.0. This would imply NATting one IP on the ASA to 10.19.124.1, but I do not see how to do this. None of the interfaces on the SAA are logical, to use as a source for this interface.
Thanks for ideas and comments.
Concerning
You are absolutely right, that unfortunately you won't able to NAT interface ASA IP address. NAT works for traffic passing by the ASA, don't not came from the SAA itself.
-
IOS IPSEC VPN with NAT - translation problem
I'm having a problem with IOS IPSEC VPN configuration.
/*
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
ISAKMP crypto keys TEST123 address 205.xx.1.4
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN
!
!
Map 10 CRYPTO map ipsec-isakmp crypto
the value of 205.xx.1.4 peer
transformation-CHAIN game
match address 115
!
interface FastEthernet0/0
Description FOR the EDGE ROUTER
IP address 208.xx.xx.33 255.255.255.252
NAT outside IP
card crypto CRYPTO-map
!
interface FastEthernet0/1
INTERNAL NETWORK description
IP 10.15.2.4 255.255.255.0
IP nat inside
access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3
*/
(This configuration is incomplete / NAT configuration needed)
Here is the solution that I'm looking for:
When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.
For more information, see "SCHEMA ATTACHED".
Any help is greatly appreciated!
Thank you
Clint Simmons
Network engineer
You can try the following NAT + route map approach (method 2 in this link)
http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
Thank you
Raja K
-
LAN to LAN VPN with NAT - solved!
Hello world
I have problems with a VPN L2L is implemented and logged, however when traffic comes from the other side of the tunnel it is not the host to internal network using a static NAT. Inside host 172.18.30.225 is current NATted to yyy.30.49.14 which is an IP address on the DMZ (yyy.30.49.0 255.255.255.240) Interface.
Here is the configuration
object-group network NET Tunnel
network-host xxx.220.129.134 objectAccess tunnel list - extended ACL permit ip host yyy.30.49.14 object-group NET Tunnel
correspondence address card crypto MAP_Tunnel 20 Tunnel-ACL
the Tunnel-iServer-NAT object network
Home yyy.30.49.14
network of the Tunnel and drop-in iServer object
Home 172.18.30.225network of the Tunnel and drop-in iServer object
NAT (internal, DMZ) static Tunnel-iServer-NATI hope that it is enough for someone to help me.
Thank you
M
Version 8.3.1 ASA
Post edited by: network operations
The internal host does live on the network DMZ or internal? If she lives on the internal network, you can not NAT to the DMZ to interface and make it out of the external Interface, assuming that the external interface is the interface of VPN endpoint. If you terminate the VPN on the DMZ interface and the internal host lives on the internal network, then that's fine.
-
IOS VPN with NAT need help with ACL?
What I forget? I have tried other positions, studied bugs known with 12.2 (13) T1, etc. workaround solutions, but perhaps my other choice of configuration interfere with my VPN configuration.
I can connect, authenticate locally, very well. Stats of Cisco VPN client 3.6.3 show I'm Encrypting traffic on the protected networks, but I can not all traffic through internal hosts once I've connected.
I removed security tags and replaced all the public IP addresses to fake in hope that someone can point me to what is obvious!
Thank you very much.
----------
Current configuration: 5508 bytes
!
! 22:24:38 PST configuration was last modified Thursday February 20, 2003 by kevin
!
version 12.2
horodateurs service debug uptime
Log service timestamps uptime
encryption password service
!
AAA new-model
!
AAA authentication login userauthen local
AAA authorization groupauthor LAN
AAA - the id of the joint session
IP subnet zero
!
IP domain name mondomaine.fr
name of the IP-server 199.13.28.12
name of the IP-server 199.13.29.12
!
IP inspect the audit trail
IP inspect high 1100 max-incomplete
IP inspect a high minute 1100
inspect the tcp IP Ethernet_0_1 name
inspect the IP udp Ethernet_0_1 name
inspect the IP name Ethernet_0_1 cuseeme
inspect the IP name Ethernet_0_1 ftp
inspect the IP h323 Ethernet_0_1 name
inspect the IP rcmd Ethernet_0_1 name
inspect the IP name Ethernet_0_1 realaudio
inspect the IP name smtp Ethernet_0_1
inspect the name Ethernet_0_1 streamworks IP
inspect the name Ethernet_0_1 vdolive IP
inspect the IP name Ethernet_0_1 sqlnet
inspect the name Ethernet_0_1 tftp IP
inspect the IP name Ethernet_0_1 http java-list 99
inspect the name Ethernet_0_1 rtsp IP
inspect the IP name Ethernet_0_1 netshow
inspect the tcp IP Ethernet_0_0 name
inspect the IP name Ethernet_0_0 ftp
inspect the IP udp Ethernet_0_0 name
audit of IP notify Journal
Max-events of po verification IP 100
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
ISAKMP crypto nat keepalive 20
!
ISAKMP crypto client configuration group vpngroup
xxxxxxxxx key
DNS 199.13.28.12 199.13.29.12
domain mydomain.com
pool vpnpool
ACL 110
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
MTA receive maximum-recipients 0
!
!
interface Ethernet0/0
Description connected to the Internet
IP 199.201.44.198 255.255.255.248
IP access-group 101 in
NAT outside IP
inspect the IP Ethernet_0_0 in
no ip route cache
no ip mroute-cache
Half duplex
clientmap card crypto
!
interface Serial0/0
no ip address
Shutdown
!
interface Ethernet0/1
Connected to the private description
IP 192.168.1.254 255.255.255.0
IP access-group 100 to
IP nat inside
inspect the IP Ethernet_0_1 in
Half duplex
!
IP local pool vpnpool 192.168.2.201 192.168.2.210
period of translation nat IP 119
!!
!! -removed the following line for VPN configuration
!! IP nat inside source list 1 interface Ethernet0/0 overload
!! -replaced by the next line...
IP nat inside source map route sheep interface Ethernet0/0 overload
IP nat inside source 192.168.1.1 static 199.201.44.197
IP classless
IP route 0.0.0.0 0.0.0.0 199.201.44.193 permanent
IP http server
7 class IP http access
local IP http authentication
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 5 permit 192.5.41.40
access-list 5 permit 192.5.41.41
access-list 5 refuse any
access-list 7 permit 192.168.1.0 0.0.0.255
access-list 7 refuse any
access-list 99 refuse any
access-list 100 permit udp any eq rip all rip eq
access-list 100 permit tcp 192.168.1.1 host any eq www
access-list 100 permit ip 192.168.1.1 host everything
access list 100 permit tcp host 192.168.1.2 any eq www
access-list 100 permit ip 192.168.1.2 host everything
access-list 100 deny ip 192.168.1.253 host everything
access ip-list 100 permit a whole
access-list 101 deny host ip 199.201.44.197 all
access-list 101 permit tcp any host 199.201.44.197 eq 22
access-list 101 permit tcp any host 199.201.44.197 eq www
access-list 101 permit tcp any host 199.201.44.197 eq 115
access-list 101 permit icmp any host 199.201.44.197
access list 101 ip allow any host 199.201.44.198
access-list 101 permit tcp any host 199.201.44.197 eq 8000
access-list 101 permit tcp any host 199.201.44.197 eq 8080
access-list 101 permit tcp any host 199.201.44.197 eq 9090
access-list 101 permit udp any host 199.201.44.197 eq 7070
access-list 101 permit udp any host 199.201.44.197 eq 554
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 115 permit ip 192.168.1.0 0.0.0.255 any
!
sheep allowed 10 route map
corresponds to the IP 115
!
Line con 0
exec-timeout 0 0
password 7 XXXXXXXXXXXXXXX
line to 0
line vty 0 4
password 7 XXXXXXXXXXXXXXXX
!
NTP-period clock 17208655
source NTP Ethernet0/0
peer NTP access-Group 5
NTP 7 use only group-access
NTP master 3
NTP 192.5.41.41 Server
NTP 192.5.41.40 Server
!
end
----------
Config looks OK, you should be able to get for each internal host EXCEPT 192.168.1.1 with this configuration. If you do a ' sho cry ipsec his 'you see Pkts Decaps increment, indicating that you see the traffic of the remote client? " Do you not see Pkts Encaps increment, indicating that you send a response réécrirait the client to the internal host.
For what is 192.168.1.1, because you have this:
> ip nat inside source 192.168.1.1 static 199.201.44.197
It substitutes for this:
> ip nat inside source map route sheep interface Ethernet0/0 overload
for this host traffic only and therefore back for just this host is always NAT would have even if you don't want it to be. To work around to send traffic to this host through an interface of closure with no NAT enabled on it, that it is NAT would have stops and allows you to connect via VPN. You can see http://www.cisco.com/warp/public/707/static.html for a detailed explanation, but basically, we must add this:
loopback interface 0
IP 1.1.1.1 255.255.255.0
interface ethernet0/1
Static IP policy route map
permissible static route map 10
match address 120
set ip next-hop 1.1.1.2
access-list 120 allow host ip 192.168.1.1 192.168.2.0 0.0.0.255
-
L2l VPN with NAT static to hide the IP internal on Cisco 1841 ISR
I configured a VPN L2L on a Cisco 1841 ISR. I'm statically from some of my internal hosts to IPS that are included in encrypted traffic. Please note that not all internal hosts are underway using a NAT. I am doing this for hidden some of the actual IP addresses on the inside network. I confirmed that the VPN works as well as natives of VPN traffic. I configured VPN L2L traditionally on the Cisco ASA 5500 Series devices, and this is my first attempt with HIA of 1841. I want just the other to take a glance to see if I missed something, or could I effectively part of the configuration. All comments are welcome.
VPN-RTR-01 #show run
Building configuration...Current configuration: 9316 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname VPN-RTR-01
!
boot-start-marker
boot-end-marker
!
! type map necessary for vwic/slot-slot 0/0 control
logging buffered 51200 warnings
no console logging
enable secret 5 xxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxx
!
No aaa new-model
IP cef
!
!
!
!
no ip domain search
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
!
!
Crypto pki trustpoint TP-self-signed-2010810276
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2010810276
revocation checking no
rsakeypair TP-self-signed-2010810276
!
!
TP-self-signed-2010810276 crypto pki certificate chain
certificate self-signed 01
30820246 308201AF A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 32303130 38313032 6174652D 3736301E 31393334 OF 30333131 170 3131
30365A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 30313038 65642D
31303237 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100C3FF F5EADA3B BCB06873 5577DB24 2AD8ECBB 00D53F1A 37342E2E 5CC9202A
7F128E51 016CD6EC D8734F4D 28BE8B0A FCD6B714 8D13585B 7844C09C 79BA8F13
B75E4E98 25D91F02 A4773F66 83407A8B 85447 64 A6889DD9 6085857F 737F8A9F
749F4297 8804C4F3 D28A6C33 F4137BBE 67F9B945 F239789E 1303AD6D DB98B7E2
52B 50203 010001 HAS 3 1 130101 FF040530 030101FF 30190603 0F060355 6E306C30
551 1104 12301082 0E535458 2D56504E 2 525452 2 303130 1 230418 1F060355 D
3B 232987 30168014 2CBB9DD0 B34B7243 7F8095C8 7AFBEFE3 301D 0603 551D0E04
1604143B 2329872C BB9DD0B3 4B72437F 8095C87A FBEFE330 0D06092A 864886F7
010104 05000381 8100A 831 8E05114A DE8AF6C5 4CB45914 36B6427C 42B30F07 0D
C5C47BC9 0110BCAA A985CB3F 5CBB855B B12D3225 B8021234 86D1952C 655071E4
66C18F42 F84492A9 835DE884 341B3A95 A3CED4E8 F37E7609 88F52640 741D74D2
37842 D 39 E5F2B208 0D4D57E1 C5633DEB ACDFC897 7D50683D 05B5FDAA E42714B4
DD29E815 E9F90877 4 D 68
quit smoking
username privilege 15 password 7 xxxxxxxxxxxxxxx lhocin
username privilege 15 password 7 xxxxxxxxxxxxxxx jsmith
!
!
!
!
crypto ISAKMP policy 5
BA aes 256
preshared authentication
Group 2
lifetime 28800
xxxxxxxxxxxxxxx key address 172.21.0.1 crypto ISAKMP xauth No.
!
!
Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
!
card crypto SITES REMOTE VPN-ipsec-isakmp 1
defined by peer 172.21.0.1
game of transformation-ESP-AES256-SHA
match address VPN-REMOTE-SITE
!
!
!
interface FastEthernet0/0
no ip address
automatic speed
full-duplex
No mop enabled
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
!
interface FastEthernet0/0.2
Description $FW_INSIDE$
encapsulation dot1Q 61
IP 10.1.0.34 255.255.255.224
IP access-group 100 to
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/0.3
Description $FW_OUTSIDE$
encapsulation dot1Q 111
IP 172.20.32.17 255.255.255.224
IP access-group 101 in
Check IP unicast reverse path
NAT outside IP
IP virtual-reassembly
crypto VPN-REMOTE-SITE map
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 172.20.32.1
IP route 10.16.0.0 255.255.0.0 10.1.0.33
IP route 10.19.0.0 255.255.0.0 10.1.0.33
IP route 10.191.0.0 255.255.0.0 10.1.0.33
IP route 10.192.0.0 255.255.0.0 10.1.0.33
IP route 192.168.20.48 255.255.255.240 10.1.0.33
!
!
IP http server
local IP http authentication
IP http secure server
IP http timeout policy inactive 600 life 86400 request 10000
IP nat inside source map route NO_NAT interface FastEthernet0/0.3 overload
IP nat inside source static 10.191.0.11 192.168.20.54 STATIC_NAT_7 card expandable route
IP nat inside source static 10.191.0.12 192.168.20.55 STATIC_NAT_8 card expandable route
IP nat inside source static 10.192.1.1 192.168.20.56 STATIC_NAT_1 card expandable route
IP nat inside source static 10.192.1.2 192.168.20.57 STATIC_NAT_2 card expandable route
IP nat inside source static 10.192.1.3 192.168.20.58 STATIC_NAT_3 card expandable route
IP nat inside source static 10.192.1.4 192.168.20.59 STATIC_NAT_4 card expandable route
IP nat inside source static 10.192.1.5 192.168.20.61 STATIC_NAT_5 card expandable route
IP nat inside source static 10.16.1.6 192.168.20.62 STATIC_NAT_6 card expandable route
!
VPN-REMOTE-SITE extended IP access list
IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.39
IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.40
inside_nat_static_1 extended IP access list
permit ip host 10.192.1.1 10.174.52.39
permit ip host 10.192.1.1 10.174.52.40
refuse an entire ip
inside_nat_static_2 extended IP access list
permit ip host 10.192.1.2 10.174.52.39
permit ip host 10.192.1.2 10.174.52.40
refuse an entire ip
inside_nat_static_3 extended IP access list
permit ip host 10.192.1.3 10.174.52.39
permit ip host 10.192.1.3 10.174.52.40
refuse an entire ip
inside_nat_static_4 extended IP access list
permit ip host 10.192.1.4 10.174.52.39
permit ip host 10.192.1.4 10.174.52.40
refuse an entire ip
inside_nat_static_5 extended IP access list
permit ip host 10.192.1.5 10.174.52.39
permit ip host 10.192.1.5 10.174.52.40
refuse an entire ip
inside_nat_static_6 extended IP access list
permit ip host 10.16.1.6 10.174.52.39
permit ip host 10.16.1.6 10.174.52.40
refuse an entire ip
inside_nat_static_7 extended IP access list
permit ip host 10.191.0.11 10.174.52.39
permit ip host 10.191.0.11 10.174.52.40
refuse an entire ip
inside_nat_static_8 extended IP access list
permit ip host 10.191.0.12 10.174.52.39
permit ip host 10.191.0.12 10.174.52.40
refuse an entire ip
!
access-list 100 remark self-generated by the configuration of the firewall SDM
Access-list 100 = 1 SDM_ACL category note
access-list 100 deny ip 172.20.32.0 0.0.0.31 all
access-list 100 deny ip 255.255.255.255 host everything
access-list 100 deny ip 127.0.0.0 0.255.255.255 everything
access ip-list 100 permit a whole
Remark SDM_ACL category of access list 101 = 17
access-list 101 permit udp any host 192.168.20.62
access-list 101 permit tcp any host 192.168.20.62
access-list 101 permit udp any host 192.168.20.61
access-list 101 permit tcp any host 192.168.20.61
access-list 101 permit udp any host 192.168.20.59
access-list 101 permit tcp any host 192.168.20.59
access-list 101 permit udp any host 192.168.20.58
access-list 101 permit tcp any host 192.168.20.58
access-list 101 permit udp any host 192.168.20.57
access-list 101 permit tcp any host 192.168.20.57
access-list 101 permit udp any host 192.168.20.56
access-list 101 permit tcp any host 192.168.20.56
access-list 101 permit udp any host 192.168.20.55
access-list 101 permit tcp any host 192.168.20.55
access-list 101 permit udp any host 192.168.20.54
access-list 101 permit tcp any host 192.168.20.54
access-list 101 permit ip 10.174.52.40 host 192.168.20.48 0.0.0.15
access-list 101 permit ip 10.174.52.39 host 192.168.20.48 0.0.0.15
access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq non500-isakmp
access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq isakmp
access-list 101 permit esp 172.21.0.1 host 172.20.32.17
access-list 101 permit ahp host 172.21.0.1 172.20.32.17
access-list 101 permit icmp any host 172.20.32.17 - response
access-list 101 permit icmp any host 172.20.32.17 time limit
access-list 101 permit icmp any unreachable host 172.20.32.17
access-list 101 permit udp any host isakmp 172.20.32.17 newspaper eq
access-list 101 permit udp any host 172.20.32.17 eq non500-isakmp
access-list 101 permit tcp any host 172.20.32.17 eq 443
access-list 101 permit tcp any host 172.20.32.17 eq 22
access-list 101 permit tcp any host 172.20.32.17 eq cmd
access-list 101 deny ip 10.1.0.32 0.0.0.31 all
access-list 101 deny ip 10.0.0.0 0.255.255.255 everything
access-list 101 deny ip 172.16.0.0 0.15.255.255 all
access-list 101 deny ip 192.168.0.0 0.0.255.255 everything
access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
access-list 101 deny ip 255.255.255.255 host everything
access-list 101 deny host ip 0.0.0.0 everything
access-list 101 deny ip any any newspaper
access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.40
access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.39
access-list 102 permit ip 10.1.0.32 0.0.0.31 all
!
allowed NO_NAT 1 route map
corresponds to the IP 102
!
STATIC_NAT_8 allowed 10 route map
inside_nat_static_8 match ip address
!
STATIC_NAT_5 allowed 10 route map
inside_nat_static_5 match ip address
!
STATIC_NAT_4 allowed 10 route map
inside_nat_static_4 match ip address
!
STATIC_NAT_7 allowed 10 route map
inside_nat_static_7 match ip address
!
STATIC_NAT_6 allowed 10 route map
inside_nat_static_6 match ip address
!
STATIC_NAT_1 allowed 10 route map
inside_nat_static_1 match ip address
!
STATIC_NAT_3 allowed 10 route map
inside_nat_static_3 match ip address
!
STATIC_NAT_2 allowed 10 route map
inside_nat_static_2 match ip address
!
!
!
control plan
!
!
!
Line con 0
exec-timeout 30 0
line to 0
line vty 0 4
privilege level 15
local connection
transport input telnet ssh
line vty 5 15
privilege level 15
local connection
transport input telnet ssh
!
Scheduler allocate 20000 1000
endVPN-RTR-01 #.
Hello
Configuration looks ok to me.
yet you can cross-reference with the following link:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080223a59.shtml
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.
-
Hi all
I'm quite inexperienced in this subject and would appreciate advice on this
I need to create a VPN tunnel between our site and a remote site.
On our site, we are a network 192.168.0.X our external ip address is 12.53.150.100
We need to connect to the site is 69.144.38.48
We need to move from host to host meaning 192.168.0.97--> 69.144.38.50 and they want our ip to translate to 10.9.250.1
Thanks in advance
Jason
Are you familiar with the establishment of a regular L2L tunnel? In addition to this, you just create a nat policy:
access-list extended 100 permit ip host 192.168.0.97 69.144.38.50
public static 10.9.250.1 (inside, outside) - access list 100
When you define your ACL crypto, you specify 10.9.250.1 as the source instead of 192.168.0.97.
Let me know if you need help most.
-
Cisco ASA (site A) with 2 L2L-VLNs (call the Site B and Site C)
I need "inbound nat' Site-C network.
Let me explain better:
-Site-B (10.14.63.0/24) accepts only traffic between the local network of the site-A (10.1.6.0/24), and I can't change the VPN.
-Now, I've logged on the Site-A site-C, and this must also communicate with site-B
-So I thought I have nat, the network of Site-C (10.168.3.0/24) in order to present with an IP of A Site.
Possible?
And how to configure the ASA at the Site-A?
Thank you
Claudio
Hello
What is the level of software on the Site to ASA?
-Jouni
-
Hello
I had a quick... On a PIX, NAT require one of the interfaces for an IP address with the subnet of the global address?
For example... If 5.5.5.0/24 is my global nat, this will require one of my interfaces to be configured with the 5.5.5/24 subnet?
Thank you!
No, but it should be routable. This means that you must have a router Interior which manages the Routing and that you have configured an interior road to this router.
example:
IP address inside 1.1.1.1 255.255.255.0
NAT (inside) 1 5.5.5.0 255.255.255.0
NAT (inside) 1 1.1.1.0 255.255.255.0
Route inside 5.5.5.0 255.255.255.0 1.1.1.2
Route outside 0.0.0.0 0.0.0.0 RouterPubIP
sincerely
Patrick
-
I'm sure this question has been asked several times, but I want to assure you that I understand before proceeding.
I set up a site to site VPN IPSec between two ASAs.
I want to an internal host NAT which link to the counterpart of my VPN network. So I need to make sure that traffic from this host internal is NATted before entering the VPN tunnel as "interesting traffic.
So let's say that distance 192.168.20.0/24 network connects via the IPSec VPN tunnel with their peers, 65.200.1.1 and 198.14.7.10, to host the 10.100.1.7 on my network.
I want NAT host 10.100.1.7 to 192.168.100.5 to the remote network connects to the 192 address, not the 10
How can I do this?
(I use an ASA 5505)
Hello Colin,
That's right, it's one of the great things about the changes on the version 8.3 and prior. You can create a political rule of nat in a single line.
Please let me know if you understand this or if there is something else I can do for you.
Evaluate the useful ticket.
Have a good night,
Julio
-
concentrator 3000 2 lan lan VPN with NAT
I need to configure a vpn lan-2lan between 2 3030 concentrators (separate companies) on the Internet. My company assigns a small subnet for hosts sitting on the client network. The customer wants to use their own IP subnet and assign IP addresses within their range. So, they do static NAT on their hub. Is this possible? Or have they NAT s pc before arriving to the hub? Any help much appreciated.
Hello
Concentrator VPN supports the NAT.
HTH
Kind regards
GE.
-
Cisco Asa vpn site-to-site with nat
Hi all
I need help
I want to make a site from the site with nat vpn
Site A = 10.0.0.0/24
Site B = 10.1.252.0/24I want when site A to site B, either by ip 172.26.0.0/24
Here is my configuration
inside_nat_outbound to access ip 10.0.0.0 scope list allow 255.255.255.0 10.1.252.0 255.255.255.0
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared-key!ISAKMP retry threshold 10 keepalive 2
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
card crypto outside_map 2 match address inside_nat_outboundcard crypto outside_map 2 pfs set group5
card crypto outside_map 2 peers set x.x.x.xcard crypto outside_map 2 game of transformation-ESP-AES-256-SHA
NAT (inside) 10 inside_nat_outbound
Global 172.26.0.1 - 172.26.0.254 10 (outside)
but do not work.
Can you help me?
Concerning
Frédéric
You must ensure that there is no NAT 0 ACL statement because it will take precedence over the static NAT.
You don't need:
Global 172.26.0.1 - 172.26.0.254 10 (outside)
NAT (inside) 10 access-list nattoyr
Because it will be replaced by the static NAT.
In a Word is enough:
nattoyr to access ip 10.0.0.0 scope list allow 255.255.255.0 10.1.252.0 255.255.255.0
access extensive list ip 172.26.0.0 vpntoyr allow 255.255.255.0 10.1.252.0 255.255.255.0
public static 172.26.0.0 (inside, outside) - nattoyr access list
card crypto outside_map 2 match address vpntoyr
card crypto outside_map 2 pfs set group5
card crypto outside_map 2 defined peer "public ip".
card crypto outside_map 2 game of transformation-ESP-AES-256-SHA
outside_map interface card crypto outside
tunnel-group "public ip" type ipsec-l2l
tunnel-group "public ip" ipsec-attributes
pre-shared key *.
-Make sure that it not there no NAT ACL 0 including the above statements and check if NAT happening (sh xlate) and the
traffic is being encryption (sh cry ips its)
Federico.
-
Hi all!
I have a question about L2L VPN and NAT.
Can I set up the VPN tunnel between two ASAs or routers using the NAT translation from within the private IP addresses to a single public IP address outside the interface and then implement interesting crypto with the source of the public IP address and the destination of the remote private network on the other end (also ASA). For example, I want to translate a private network to the public ip address at one end and use the VPN tunnel with a public IP address as the source. Policy-NAT is not an option, because we really do not want to provide any IP address to the remote end, and IP addresses of the remote end can overlap with our end.
Thank you!
Hello
You can definitely set up an IPSec tunnel between two devices in the translation of your subnet in a single public IP address. You just create the translation and as you mentioned define interesting traffic using the public IP address.
This is exactly what we call political NAT, I don't understand why you say that NAT policy is not an option. Perhapps you misunderstood concept NAT policy or I misunderstood your question.
For example, assuming that the LAN private at your side is 172.16.1.0/24, the remote subnet is 192.168.150.0/24, and that the public IP address that you want to use is 200.200.200.200 your NAT config should look like this:
access-list 199 permit ip 172.16.1.0 255.255.252.0 192.168.150.0 255.255.255.0
Global (outside) 6 200.200.200.200
NAT (inside) 6 access-L199
Which would be NAT traffic to the public IP address only when the traffic matches the ACL.
Your ACL crypto should then be something like
cryptomap list of allowed access host ip 200.200.200.200 192.168.150.0 255.255.255.0
That would hide your address real and all they see is the public IP address you give them. Note that since the NAT takes place on your side your side will be able to raise the tunnel.
I hope this helps.
Raga
-
Application of VPN S2S (with NAT)
Hello experts,
ASA (8.2) and standard Site 2 Site Internet access related configs.
Outside: 1.1.1.1/24-> peer IP VPN S2S.
Inside: Pvt subnets
Standard "Nat 0' orders and crypto ACL for our remote offices, local networks with IP whp program.
Requirement:
Need to connect the PC to external clients (3.3.3.3 & 4.4.4.4) on tcp/443 via vpn S2S on our LAN. Client only accepts only the host with public IPs.
I need NAT to my internal IP to the public IP say 1.1.1.2 and establish the VPN tunnel between 1.1.1.1-> PRi Client-side & secondary IPs (Cisco router).
(without losing connectivity to remote offices). No policy NAT work here?
ex:
My Intern: 10.0.0.0/8 and 192.168.0.0/16
Assigned IP available for NAT (some time to connect to the client only): 1.1.1.5External client LAN IPs: 3.3.3.3 & 4.4.4.4
PAT: permit TOCLIENT object-group MYLAN object-group CUSTOMER LAN ip extended access-list
NAT (inside) 5-list of access TOCLIENT
5 1.1.1.5 (outside) global
Crypto: tcp host 1.1.1.5 allowed extended CRYPTO access list object-group CUSTOMER LAN eq 443Outsidemap 1 crypto card matches the address CRYPTO
Customer will undertake to peer with IP 1.1.1.1 only.Do I need a ' Nat 0' configs here?
Also, for the specifications of the phase 2, it is not transform-set options gives. Info given was
Phase2: AH: people with mobility reduced, life: 3 600 s, PFS: disabled, LZS Compression: disabled.
This works with options of the phase 2?Thanks in advance
MS
Hello
«Existing NAT (inside) 1
& global (outside) does not interfere with NAT 5 when users try to reach the ClientLAN.» Your inside nat index is '1', while the dynamic policy-nat is index '5 '.
"" For the phase 2 in general, we define Crypto ipsec transform-set TEST
". Sure, the remote tunnel peers even accept transform set, everything you put up with the example below and distant homologous put the same tunnel.
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
"In this scenario, no need to define any what
and just add empty transform don't set statement under card crypto? No you need a defined transformation.
"3. If we want to limit the destination port 443, I need to use separate VPN filters?
That's right, use a vpn-filter.
"4. we have several phase 1 configs, but wanted to use AES256 & DH5 (new policy)"... for s2s, these options work fine. ""
Of course, you have set the phase 1, as required.
Thank you
Rizwan James
-
IOS - help with VPN IPsec L2L with NAT
Hello guys
I tried to get VPN to work for a specific scenario where I do NAT for VPN traffic to avoid the duplication of subnet.
I found several guides on cisco.com, but all the ones I found does not (or how) overload NAT (for internet traffic), I need for my setup.
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800b07ed.shtml
http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a0ece4.shtml
Basically, I need to know how the configuration looks like when make you static NAT in a VPN tunnel as well as provide internet connectivity using NAT in the same router?
I have attached a drawing that needs to better explain my needs.
Someone knows a guide that shows how to do this?
Best regards
Jesper
You can use a static policy NAT NAT the traffic:
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255
access-list 102 deny ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
policy-NAT allowed 10 route map
corresponds to the IP 101
internet-NAT allowed 10 route map
corresponds to the IP 102
IP nat inside source static network 10.0.0.0 road policy-NAT 10.30.10.0/24-feuille
IP nat inside source map route internet-NAT interface overloading
Hope that helps.
Maybe you are looking for
-
How can I get rid of lunaticake? I have an iMac w/Mavericks.
How can I get rid of lunaticake? It must have maliciously charged when I downloaded an update of Silverlight.
-
Printer driver install resulted in double Program Files folder - how can I remove it?
Trouble installing a lexmark printer driver led to a work folder lexmark Program Files (x 86) and a 2nd same lexmark folder in a new folder of C: drive called "Program Files (x 86) (x 86)". Only lexmark files are in this new folder in program files.
-
Error, says - username or password is incorrect
OK so today, I was on my account on windows 7 Home premium (I am the only admin on my computer) and I go down to my sister after I try to climb again on but it says my username or password is incorrect, so I try to do different things to arrive as cm
-
I burned a dvd of my USB movie. the movie is great, but not sound at all. Why? can anyone help.
-
Update 2015 / / mobile site extremely slow
I'm working on a fairly large for one of our customers site.However, as I've updated to Muse CC 2015 this morning, the mobile Web site has become extremely slow when published.The project is almost finished and testruns at our own Publisher, I notice