VPN with NAT Interface

Hello

I am trying to set up a VPN between a VLAN I have defined and another office. I have been using nat on the interface for internet access with a NAT pool.

I created the VPN with crypto card and the VPN is successfully registered.

The problem I encounter is that with NAT is enabled, internet access is working but I can ping through the VPN.

If I disable NAT, VPN works perfectly, but then him VLAN cannot access the internet.

What should I do differently?

Here is the config:

Feature: 2911 with security package

Local network: 10.10.104.0/24

Remote network: 192.168.1.0/24

Public beach: 65.49.46.68/28

crypto ISAKMP policy 104

BA 3des

preshared authentication

Group 2

lifetime 28800

ISAKMP crypto key REDACTED address 75.76.102.50

Crypto ipsec transform-set esp-3des esp-sha-hmac strongsha

OFFICE 104 ipsec-isakmp crypto map

defined by peer 75.76.102.50

Set transform-set strongsha

match address 104

interface GigabitEthernet0/0

IP 65.49.46.68 255.255.255.240

penetration of the IP stream

NAT outside IP

IP virtual-reassembly

full duplex

Speed 100

standby mode 0 ip 65.49.46.70

0 6 2 sleep timers

standby 0 preempt

card crypto OFFICE WAN redundancy

interface GigabitEthernet0/2.104

encapsulation dot1Q 104

IP 10.10.104.254 255.255.255.0

IP nat pool wan_access 65.49.46.70 65.49.46.70 prefix length 28

overload of IP nat inside source list 99 pool wan_access

access-list 99 permit 10.10.104.0 0.0.0.255

access-list 104. allow ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 104. allow ip 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255

access-list 104 allow icmp 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 104 allow icmp 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255

ISAKMP crypto #sh her

IPv4 Crypto ISAKMP Security Association

DST CBC conn-State id

65.49.46.70 75.76.102.50 QM_IDLE 1299 ACTIVE

Hello!

Please, make these changes:

extended Internet-NAT IP access list

deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

IP 10.10.104.0 allow 0.0.0.255 any

IP nat inside source list Internet-NAT pool access-wan overload

* Please do not remove the old NAT instance until you add that above.

Please hold me.

Thank you!

Sent by Cisco Support technique Android app

Tags: Cisco Security

Similar Questions

  • Remote host IP SLA ping by tunnel VPN with NAT

    Hi all

    I did some research here, but don't drop on similar issues. I'm sure that what I want is not possible, but I want to make sure.

    I want to monitor a remote host on the other side a VPN. The local endpoint is my ASA.

    The local INSIDE_LAN traffic is NATted to 10.19.124.1 before entering the VPN tunnel.

    Interesting VPN traffic used ACL card crypto:

    access-list 1 permit line ACL_TUNNELED_TO_REMOTE extended ip host 10.19.124.1 192.168.1.0 255.255.255.0

    NAT rules:

    Global (OUTSIDE) 2 10.19.124.1 mask 255.255.255.255 subnet

    NAT (INSIDE_LAN) 2-list of access ACL_NAT_TO_REMOTE

    NAT ACL

    access-list 1 permit line ACL_NAT_TO_REMOTE extended ip 172.19.126.32 255.255.255.224 192.168.1.0 255.255.255.0

    This configuration works very well for traffic from hosts in 172.19.126.32 255.255.255.224 is 192.168.1.0 255.255.255.0.

    However, I like to use "ip sla" on the SAA itself to monitor a remote host with icmp ping 192.168.1.0. This would imply NATting one IP on the ASA to 10.19.124.1, but I do not see how to do this. None of the interfaces on the SAA are logical, to use as a source for this interface.

    Thanks for ideas and comments.

    Concerning

    You are absolutely right, that unfortunately you won't able to NAT interface ASA IP address. NAT works for traffic passing by the ASA, don't not came from the SAA itself.

  • IOS IPSEC VPN with NAT - translation problem

    I'm having a problem with IOS IPSEC VPN configuration.

    /*

    crypto ISAKMP policy 10

    BA 3des

    preshared authentication

    Group 2

    ISAKMP crypto keys TEST123 address 205.xx.1.4

    !

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN

    !

    !

    Map 10 CRYPTO map ipsec-isakmp crypto

    the value of 205.xx.1.4 peer

    transformation-CHAIN game

    match address 115

    !

    interface FastEthernet0/0

    Description FOR the EDGE ROUTER

    IP address 208.xx.xx.33 255.255.255.252

    NAT outside IP

    card crypto CRYPTO-map

    !

    interface FastEthernet0/1

    INTERNAL NETWORK description

    IP 10.15.2.4 255.255.255.0

    IP nat inside

    access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3

    */

    (This configuration is incomplete / NAT configuration needed)

    Here is the solution that I'm looking for:

    When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.

    For more information, see "SCHEMA ATTACHED".

    Any help is greatly appreciated!

    Thank you

    Clint Simmons

    Network engineer

    You can try the following NAT + route map approach (method 2 in this link)

    http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

    Thank you

    Raja K

  • LAN to LAN VPN with NAT - solved!

    Hello world

    I have problems with a VPN L2L is implemented and logged, however when traffic comes from the other side of the tunnel it is not the host to internal network using a static NAT. Inside host 172.18.30.225 is current NATted to yyy.30.49.14 which is an IP address on the DMZ (yyy.30.49.0 255.255.255.240) Interface.

    Here is the configuration

    object-group network NET Tunnel
    network-host xxx.220.129.134 object

    Access tunnel list - extended ACL permit ip host yyy.30.49.14 object-group NET Tunnel

    correspondence address card crypto MAP_Tunnel 20 Tunnel-ACL

    the Tunnel-iServer-NAT object network
    Home yyy.30.49.14
    network of the Tunnel and drop-in iServer object
    Home 172.18.30.225

    network of the Tunnel and drop-in iServer object
    NAT (internal, DMZ) static Tunnel-iServer-NAT

    I hope that it is enough for someone to help me.

    Thank you

    M

    Version 8.3.1 ASA

    Post edited by: network operations

    The internal host does live on the network DMZ or internal? If she lives on the internal network, you can not NAT to the DMZ to interface and make it out of the external Interface, assuming that the external interface is the interface of VPN endpoint. If you terminate the VPN on the DMZ interface and the internal host lives on the internal network, then that's fine.

  • IOS VPN with NAT need help with ACL?

    What I forget? I have tried other positions, studied bugs known with 12.2 (13) T1, etc. workaround solutions, but perhaps my other choice of configuration interfere with my VPN configuration.

    I can connect, authenticate locally, very well. Stats of Cisco VPN client 3.6.3 show I'm Encrypting traffic on the protected networks, but I can not all traffic through internal hosts once I've connected.

    I removed security tags and replaced all the public IP addresses to fake in hope that someone can point me to what is obvious!

    Thank you very much.

    ----------

    Current configuration: 5508 bytes

    !

    ! 22:24:38 PST configuration was last modified Thursday February 20, 2003 by kevin

    !

    version 12.2

    horodateurs service debug uptime

    Log service timestamps uptime

    encryption password service

    !

    AAA new-model

    !

    AAA authentication login userauthen local

    AAA authorization groupauthor LAN

    AAA - the id of the joint session

    IP subnet zero

    !

    IP domain name mondomaine.fr

    name of the IP-server 199.13.28.12

    name of the IP-server 199.13.29.12

    !

    IP inspect the audit trail

    IP inspect high 1100 max-incomplete

    IP inspect a high minute 1100

    inspect the tcp IP Ethernet_0_1 name

    inspect the IP udp Ethernet_0_1 name

    inspect the IP name Ethernet_0_1 cuseeme

    inspect the IP name Ethernet_0_1 ftp

    inspect the IP h323 Ethernet_0_1 name

    inspect the IP rcmd Ethernet_0_1 name

    inspect the IP name Ethernet_0_1 realaudio

    inspect the IP name smtp Ethernet_0_1

    inspect the name Ethernet_0_1 streamworks IP

    inspect the name Ethernet_0_1 vdolive IP

    inspect the IP name Ethernet_0_1 sqlnet

    inspect the name Ethernet_0_1 tftp IP

    inspect the IP name Ethernet_0_1 http java-list 99

    inspect the name Ethernet_0_1 rtsp IP

    inspect the IP name Ethernet_0_1 netshow

    inspect the tcp IP Ethernet_0_0 name

    inspect the IP name Ethernet_0_0 ftp

    inspect the IP udp Ethernet_0_0 name

    audit of IP notify Journal

    Max-events of po verification IP 100

    !

    crypto ISAKMP policy 3

    BA 3des

    preshared authentication

    Group 2

    ISAKMP crypto nat keepalive 20

    !

    ISAKMP crypto client configuration group vpngroup

    xxxxxxxxx key

    DNS 199.13.28.12 199.13.29.12

    domain mydomain.com

    pool vpnpool

    ACL 110

    !

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

    !

    Crypto-map dynamic dynmap 10

    Set transform-set RIGHT

    !

    !

    map clientmap client to authenticate crypto list userauthen

    card crypto clientmap isakmp authorization list groupauthor

    client configuration address map clientmap crypto answer

    10 ipsec-isakmp crypto map clientmap Dynamics dynmap

    !

    MTA receive maximum-recipients 0

    !

    !

    interface Ethernet0/0

    Description connected to the Internet

    IP 199.201.44.198 255.255.255.248

    IP access-group 101 in

    NAT outside IP

    inspect the IP Ethernet_0_0 in

    no ip route cache

    no ip mroute-cache

    Half duplex

    clientmap card crypto

    !

    interface Serial0/0

    no ip address

    Shutdown

    !

    interface Ethernet0/1

    Connected to the private description

    IP 192.168.1.254 255.255.255.0

    IP access-group 100 to

    IP nat inside

    inspect the IP Ethernet_0_1 in

    Half duplex

    !

    IP local pool vpnpool 192.168.2.201 192.168.2.210

    period of translation nat IP 119

    !!

    !! -removed the following line for VPN configuration

    !! IP nat inside source list 1 interface Ethernet0/0 overload

    !! -replaced by the next line...

    IP nat inside source map route sheep interface Ethernet0/0 overload

    IP nat inside source 192.168.1.1 static 199.201.44.197

    IP classless

    IP route 0.0.0.0 0.0.0.0 199.201.44.193 permanent

    IP http server

    7 class IP http access

    local IP http authentication

    !

    access-list 1 permit 192.168.1.0 0.0.0.255

    access-list 5 permit 192.5.41.40

    access-list 5 permit 192.5.41.41

    access-list 5 refuse any

    access-list 7 permit 192.168.1.0 0.0.0.255

    access-list 7 refuse any

    access-list 99 refuse any

    access-list 100 permit udp any eq rip all rip eq

    access-list 100 permit tcp 192.168.1.1 host any eq www

    access-list 100 permit ip 192.168.1.1 host everything

    access list 100 permit tcp host 192.168.1.2 any eq www

    access-list 100 permit ip 192.168.1.2 host everything

    access-list 100 deny ip 192.168.1.253 host everything

    access ip-list 100 permit a whole

    access-list 101 deny host ip 199.201.44.197 all

    access-list 101 permit tcp any host 199.201.44.197 eq 22

    access-list 101 permit tcp any host 199.201.44.197 eq www

    access-list 101 permit tcp any host 199.201.44.197 eq 115

    access-list 101 permit icmp any host 199.201.44.197

    access list 101 ip allow any host 199.201.44.198

    access-list 101 permit tcp any host 199.201.44.197 eq 8000

    access-list 101 permit tcp any host 199.201.44.197 eq 8080

    access-list 101 permit tcp any host 199.201.44.197 eq 9090

    access-list 101 permit udp any host 199.201.44.197 eq 7070

    access-list 101 permit udp any host 199.201.44.197 eq 554

    access-list 110 permit ip 192.168.1.0 0.0.0.255 any

    access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

    access-list 115 permit ip 192.168.1.0 0.0.0.255 any

    !

    sheep allowed 10 route map

    corresponds to the IP 115

    !

    Line con 0

    exec-timeout 0 0

    password 7 XXXXXXXXXXXXXXX

    line to 0

    line vty 0 4

    password 7 XXXXXXXXXXXXXXXX

    !

    NTP-period clock 17208655

    source NTP Ethernet0/0

    peer NTP access-Group 5

    NTP 7 use only group-access

    NTP master 3

    NTP 192.5.41.41 Server

    NTP 192.5.41.40 Server

    !

    end

    ----------

    Config looks OK, you should be able to get for each internal host EXCEPT 192.168.1.1 with this configuration. If you do a ' sho cry ipsec his 'you see Pkts Decaps increment, indicating that you see the traffic of the remote client? " Do you not see Pkts Encaps increment, indicating that you send a response réécrirait the client to the internal host.

    For what is 192.168.1.1, because you have this:

    > ip nat inside source 192.168.1.1 static 199.201.44.197

    It substitutes for this:

    > ip nat inside source map route sheep interface Ethernet0/0 overload

    for this host traffic only and therefore back for just this host is always NAT would have even if you don't want it to be. To work around to send traffic to this host through an interface of closure with no NAT enabled on it, that it is NAT would have stops and allows you to connect via VPN. You can see http://www.cisco.com/warp/public/707/static.html for a detailed explanation, but basically, we must add this:

    loopback interface 0

    IP 1.1.1.1 255.255.255.0

    interface ethernet0/1

    Static IP policy route map

    permissible static route map 10

    match address 120

    set ip next-hop 1.1.1.2

    access-list 120 allow host ip 192.168.1.1 192.168.2.0 0.0.0.255

  • L2l VPN with NAT static to hide the IP internal on Cisco 1841 ISR

    I configured a VPN L2L on a Cisco 1841 ISR.  I'm statically from some of my internal hosts to IPS that are included in encrypted traffic.  Please note that not all internal hosts are underway using a NAT.  I am doing this for hidden some of the actual IP addresses on the inside network.  I confirmed that the VPN works as well as natives of VPN traffic.  I configured VPN L2L traditionally on the Cisco ASA 5500 Series devices, and this is my first attempt with HIA of 1841.  I want just the other to take a glance to see if I missed something, or could I effectively part of the configuration.  All comments are welcome.

    VPN-RTR-01 #show run
    Building configuration...

    Current configuration: 9316 bytes
    !
    version 12.4
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    encryption password service
    !
    hostname VPN-RTR-01
    !
    boot-start-marker
    boot-end-marker
    !
    ! type map necessary for vwic/slot-slot 0/0 control
    logging buffered 51200 warnings
    no console logging
    enable secret 5 xxxxxxxxxxxxxxx
    enable password 7 xxxxxxxxxxxxxxx
    !
    No aaa new-model
    IP cef
    !
    !
    !
    !
    no ip domain search
    property intellectual auth-proxy max-nodata-& 3
    property intellectual admission max-nodata-& 3
    !
    !
    Crypto pki trustpoint TP-self-signed-2010810276
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 2010810276
    revocation checking no
    rsakeypair TP-self-signed-2010810276
    !
    !
    TP-self-signed-2010810276 crypto pki certificate chain
    certificate self-signed 01
    30820246 308201AF A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
    2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
    69666963 32303130 38313032 6174652D 3736301E 31393334 OF 30333131 170 3131
    30365A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
    4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 30313038 65642D
    31303237 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
    8100C3FF F5EADA3B BCB06873 5577DB24 2AD8ECBB 00D53F1A 37342E2E 5CC9202A
    7F128E51 016CD6EC D8734F4D 28BE8B0A FCD6B714 8D13585B 7844C09C 79BA8F13
    B75E4E98 25D91F02 A4773F66 83407A8B 85447 64 A6889DD9 6085857F 737F8A9F
    749F4297 8804C4F3 D28A6C33 F4137BBE 67F9B945 F239789E 1303AD6D DB98B7E2
    52B 50203 010001 HAS 3 1 130101 FF040530 030101FF 30190603 0F060355 6E306C30
    551 1104 12301082 0E535458 2D56504E 2 525452 2 303130 1 230418 1F060355 D
    3B 232987 30168014 2CBB9DD0 B34B7243 7F8095C8 7AFBEFE3 301D 0603 551D0E04
    1604143B 2329872C BB9DD0B3 4B72437F 8095C87A FBEFE330 0D06092A 864886F7
    010104 05000381 8100A 831 8E05114A DE8AF6C5 4CB45914 36B6427C 42B30F07 0D
    C5C47BC9 0110BCAA A985CB3F 5CBB855B B12D3225 B8021234 86D1952C 655071E4
    66C18F42 F84492A9 835DE884 341B3A95 A3CED4E8 F37E7609 88F52640 741D74D2
    37842 D 39 E5F2B208 0D4D57E1 C5633DEB ACDFC897 7D50683D 05B5FDAA E42714B4
    DD29E815 E9F90877 4 D 68
    quit smoking
    username privilege 15 password 7 xxxxxxxxxxxxxxx lhocin
    username privilege 15 password 7 xxxxxxxxxxxxxxx jsmith
    !
    !
    !
    !
    crypto ISAKMP policy 5
    BA aes 256
    preshared authentication
    Group 2
    lifetime 28800
    xxxxxxxxxxxxxxx key address 172.21.0.1 crypto ISAKMP xauth No.
    !
    !
    Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
    !
    card crypto SITES REMOTE VPN-ipsec-isakmp 1
    defined by peer 172.21.0.1
    game of transformation-ESP-AES256-SHA
    match address VPN-REMOTE-SITE
    !
    !
    !
    interface FastEthernet0/0
    no ip address
    automatic speed
    full-duplex
    No mop enabled
    !
    interface FastEthernet0/0.1
    encapsulation dot1Q 1 native
    !
    interface FastEthernet0/0.2
    Description $FW_INSIDE$
    encapsulation dot1Q 61
    IP 10.1.0.34 255.255.255.224
    IP access-group 100 to
    IP nat inside
    IP virtual-reassembly
    !
    interface FastEthernet0/0.3
    Description $FW_OUTSIDE$
    encapsulation dot1Q 111
    IP 172.20.32.17 255.255.255.224
    IP access-group 101 in
    Check IP unicast reverse path
    NAT outside IP
    IP virtual-reassembly
    crypto VPN-REMOTE-SITE map
    !
    interface FastEthernet0/1
    no ip address
    Shutdown
    automatic duplex
    automatic speed
    !
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 172.20.32.1
    IP route 10.16.0.0 255.255.0.0 10.1.0.33
    IP route 10.19.0.0 255.255.0.0 10.1.0.33
    IP route 10.191.0.0 255.255.0.0 10.1.0.33
    IP route 10.192.0.0 255.255.0.0 10.1.0.33
    IP route 192.168.20.48 255.255.255.240 10.1.0.33
    !
    !
    IP http server
    local IP http authentication
    IP http secure server
    IP http timeout policy inactive 600 life 86400 request 10000
    IP nat inside source map route NO_NAT interface FastEthernet0/0.3 overload
    IP nat inside source static 10.191.0.11 192.168.20.54 STATIC_NAT_7 card expandable route
    IP nat inside source static 10.191.0.12 192.168.20.55 STATIC_NAT_8 card expandable route
    IP nat inside source static 10.192.1.1 192.168.20.56 STATIC_NAT_1 card expandable route
    IP nat inside source static 10.192.1.2 192.168.20.57 STATIC_NAT_2 card expandable route
    IP nat inside source static 10.192.1.3 192.168.20.58 STATIC_NAT_3 card expandable route
    IP nat inside source static 10.192.1.4 192.168.20.59 STATIC_NAT_4 card expandable route
    IP nat inside source static 10.192.1.5 192.168.20.61 STATIC_NAT_5 card expandable route
    IP nat inside source static 10.16.1.6 192.168.20.62 STATIC_NAT_6 card expandable route
    !
    VPN-REMOTE-SITE extended IP access list
    IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.39
    IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.40
    inside_nat_static_1 extended IP access list
    permit ip host 10.192.1.1 10.174.52.39
    permit ip host 10.192.1.1 10.174.52.40
    refuse an entire ip
    inside_nat_static_2 extended IP access list
    permit ip host 10.192.1.2 10.174.52.39
    permit ip host 10.192.1.2 10.174.52.40
    refuse an entire ip
    inside_nat_static_3 extended IP access list
    permit ip host 10.192.1.3 10.174.52.39
    permit ip host 10.192.1.3 10.174.52.40
    refuse an entire ip
    inside_nat_static_4 extended IP access list
    permit ip host 10.192.1.4 10.174.52.39
    permit ip host 10.192.1.4 10.174.52.40
    refuse an entire ip
    inside_nat_static_5 extended IP access list
    permit ip host 10.192.1.5 10.174.52.39
    permit ip host 10.192.1.5 10.174.52.40
    refuse an entire ip
    inside_nat_static_6 extended IP access list
    permit ip host 10.16.1.6 10.174.52.39
    permit ip host 10.16.1.6 10.174.52.40
    refuse an entire ip
    inside_nat_static_7 extended IP access list
    permit ip host 10.191.0.11 10.174.52.39
    permit ip host 10.191.0.11 10.174.52.40
    refuse an entire ip
    inside_nat_static_8 extended IP access list
    permit ip host 10.191.0.12 10.174.52.39
    permit ip host 10.191.0.12 10.174.52.40
    refuse an entire ip
    !
    access-list 100 remark self-generated by the configuration of the firewall SDM
    Access-list 100 = 1 SDM_ACL category note
    access-list 100 deny ip 172.20.32.0 0.0.0.31 all
    access-list 100 deny ip 255.255.255.255 host everything
    access-list 100 deny ip 127.0.0.0 0.255.255.255 everything
    access ip-list 100 permit a whole
    Remark SDM_ACL category of access list 101 = 17
    access-list 101 permit udp any host 192.168.20.62
    access-list 101 permit tcp any host 192.168.20.62
    access-list 101 permit udp any host 192.168.20.61
    access-list 101 permit tcp any host 192.168.20.61
    access-list 101 permit udp any host 192.168.20.59
    access-list 101 permit tcp any host 192.168.20.59
    access-list 101 permit udp any host 192.168.20.58
    access-list 101 permit tcp any host 192.168.20.58
    access-list 101 permit udp any host 192.168.20.57
    access-list 101 permit tcp any host 192.168.20.57
    access-list 101 permit udp any host 192.168.20.56
    access-list 101 permit tcp any host 192.168.20.56
    access-list 101 permit udp any host 192.168.20.55
    access-list 101 permit tcp any host 192.168.20.55
    access-list 101 permit udp any host 192.168.20.54
    access-list 101 permit tcp any host 192.168.20.54
    access-list 101 permit ip 10.174.52.40 host 192.168.20.48 0.0.0.15
    access-list 101 permit ip 10.174.52.39 host 192.168.20.48 0.0.0.15
    access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq non500-isakmp
    access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq isakmp
    access-list 101 permit esp 172.21.0.1 host 172.20.32.17
    access-list 101 permit ahp host 172.21.0.1 172.20.32.17
    access-list 101 permit icmp any host 172.20.32.17 - response
    access-list 101 permit icmp any host 172.20.32.17 time limit
    access-list 101 permit icmp any unreachable host 172.20.32.17
    access-list 101 permit udp any host isakmp 172.20.32.17 newspaper eq
    access-list 101 permit udp any host 172.20.32.17 eq non500-isakmp
    access-list 101 permit tcp any host 172.20.32.17 eq 443
    access-list 101 permit tcp any host 172.20.32.17 eq 22
    access-list 101 permit tcp any host 172.20.32.17 eq cmd
    access-list 101 deny ip 10.1.0.32 0.0.0.31 all
    access-list 101 deny ip 10.0.0.0 0.255.255.255 everything
    access-list 101 deny ip 172.16.0.0 0.15.255.255 all
    access-list 101 deny ip 192.168.0.0 0.0.255.255 everything
    access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
    access-list 101 deny ip 255.255.255.255 host everything
    access-list 101 deny host ip 0.0.0.0 everything
    access-list 101 deny ip any any newspaper
    access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.40
    access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.39
    access-list 102 permit ip 10.1.0.32 0.0.0.31 all
    !
    allowed NO_NAT 1 route map
    corresponds to the IP 102
    !
    STATIC_NAT_8 allowed 10 route map
    inside_nat_static_8 match ip address
    !
    STATIC_NAT_5 allowed 10 route map
    inside_nat_static_5 match ip address
    !
    STATIC_NAT_4 allowed 10 route map
    inside_nat_static_4 match ip address
    !
    STATIC_NAT_7 allowed 10 route map
    inside_nat_static_7 match ip address
    !
    STATIC_NAT_6 allowed 10 route map
    inside_nat_static_6 match ip address
    !
    STATIC_NAT_1 allowed 10 route map
    inside_nat_static_1 match ip address
    !
    STATIC_NAT_3 allowed 10 route map
    inside_nat_static_3 match ip address
    !
    STATIC_NAT_2 allowed 10 route map
    inside_nat_static_2 match ip address
    !
    !
    !
    control plan
    !
    !
    !
    Line con 0
    exec-timeout 30 0
    line to 0
    line vty 0 4
    privilege level 15
    local connection
    transport input telnet ssh
    line vty 5 15
    privilege level 15
    local connection
    transport input telnet ssh
    !
    Scheduler allocate 20000 1000
    end

    VPN-RTR-01 #.

    Hello

    Configuration looks ok to me.

    yet you can cross-reference with the following link:

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080223a59.shtml

    I hope this helps.

    Kind regards

    Anisha

    P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

  • L2l VPN with nat

    Hi all

    I'm quite inexperienced in this subject and would appreciate advice on this

    I need to create a VPN tunnel between our site and a remote site.

    On our site, we are a network 192.168.0.X our external ip address is 12.53.150.100

    We need to connect to the site is 69.144.38.48

    We need to move from host to host meaning 192.168.0.97--> 69.144.38.50 and they want our ip to translate to 10.9.250.1

    Thanks in advance

    Jason

    Are you familiar with the establishment of a regular L2L tunnel? In addition to this, you just create a nat policy:

    access-list extended 100 permit ip host 192.168.0.97 69.144.38.50

    public static 10.9.250.1 (inside, outside) - access list 100

    When you define your ACL crypto, you specify 10.9.250.1 as the source instead of 192.168.0.97.

    Let me know if you need help most.

  • L2l - VPN with NAT incoming

    Cisco ASA (site A) with 2 L2L-VLNs (call the Site B and Site C)

    I need "inbound nat' Site-C network.

    Let me explain better:

    -Site-B (10.14.63.0/24) accepts only traffic between the local network of the site-A (10.1.6.0/24), and I can't change the VPN.

    -Now, I've logged on the Site-A site-C, and this must also communicate with site-B

    -So I thought I have nat, the network of Site-C (10.168.3.0/24) in order to present with an IP of A Site.

    Possible?

    And how to configure the ASA at the Site-A?

    Thank you

    Claudio

    Hello

    What is the level of software on the Site to ASA?

    -Jouni

  • Addressing with NAT interface

    Hello

    I had a quick... On a PIX, NAT require one of the interfaces for an IP address with the subnet of the global address?

    For example... If 5.5.5.0/24 is my global nat, this will require one of my interfaces to be configured with the 5.5.5/24 subnet?

    Thank you!

    No, but it should be routable. This means that you must have a router Interior which manages the Routing and that you have configured an interior road to this router.

    example:

    IP address inside 1.1.1.1 255.255.255.0

    NAT (inside) 1 5.5.5.0 255.255.255.0

    NAT (inside) 1 1.1.1.0 255.255.255.0

    Route inside 5.5.5.0 255.255.255.0 1.1.1.2

    Route outside 0.0.0.0 0.0.0.0 RouterPubIP

    sincerely

    Patrick

  • VPN with NAT

    I'm sure this question has been asked several times, but I want to assure you that I understand before proceeding.

    I set up a site to site VPN IPSec between two ASAs.

    I want to an internal host NAT which link to the counterpart of my VPN network. So I need to make sure that traffic from this host internal is NATted before entering the VPN tunnel as "interesting traffic.

    So let's say that distance 192.168.20.0/24 network connects via the IPSec VPN tunnel with their peers, 65.200.1.1 and 198.14.7.10, to host the 10.100.1.7 on my network.

    I want NAT host 10.100.1.7 to 192.168.100.5 to the remote network connects to the 192 address, not the 10

    How can I do this?

    (I use an ASA 5505)

    Hello Colin,

    That's right, it's one of the great things about the changes on the version 8.3 and prior. You can create a political rule of nat in a single line.

    Please let me know if you understand this or if there is something else I can do for you.

    Evaluate the useful ticket.

    Have a good night,

    Julio

  • concentrator 3000 2 lan lan VPN with NAT

    I need to configure a vpn lan-2lan between 2 3030 concentrators (separate companies) on the Internet. My company assigns a small subnet for hosts sitting on the client network. The customer wants to use their own IP subnet and assign IP addresses within their range. So, they do static NAT on their hub. Is this possible? Or have they NAT s pc before arriving to the hub? Any help much appreciated.

    Hello

    Concentrator VPN supports the NAT.

    http://Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml

    HTH

    Kind regards

    GE.

  • Cisco Asa vpn site-to-site with nat

    Hi all

    I need help
    I want to make a site from the site with nat vpn
    Site A = 10.0.0.0/24
    Site B = 10.1.252.0/24

    I want when site A to site B, either by ip 172.26.0.0/24

    Here is my configuration

    inside_nat_outbound to access ip 10.0.0.0 scope list allow 255.255.255.0 10.1.252.0 255.255.255.0

    tunnel-group x.x.x.x type ipsec-l2l
    tunnel-group ipsec-attributes x.x.x.x
    pre-shared-key!

    ISAKMP retry threshold 10 keepalive 2

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    card crypto outside_map 2 match address inside_nat_outbound

    card crypto outside_map 2 pfs set group5
    card crypto outside_map 2 peers set x.x.x.x

    card crypto outside_map 2 game of transformation-ESP-AES-256-SHA

    NAT (inside) 10 inside_nat_outbound

    Global 172.26.0.1 - 172.26.0.254 10 (outside)

    but do not work.

    Can you help me?

    Concerning

    Frédéric

    You must ensure that there is no NAT 0 ACL statement because it will take precedence over the static NAT.

    You don't need:

    Global 172.26.0.1 - 172.26.0.254 10 (outside)

    NAT (inside) 10 access-list nattoyr

    Because it will be replaced by the static NAT.

    In a Word is enough:

    nattoyr to access ip 10.0.0.0 scope list allow 255.255.255.0 10.1.252.0 255.255.255.0

    access extensive list ip 172.26.0.0 vpntoyr allow 255.255.255.0 10.1.252.0 255.255.255.0

    public static 172.26.0.0 (inside, outside) - nattoyr access list

    card crypto outside_map 2 match address vpntoyr

    card crypto outside_map 2 pfs set group5

    card crypto outside_map 2 defined peer "public ip".

    card crypto outside_map 2 game of transformation-ESP-AES-256-SHA

    outside_map interface card crypto outside

    tunnel-group "public ip" type ipsec-l2l

    tunnel-group "public ip" ipsec-attributes

    pre-shared key *.

    -Make sure that it not there no NAT ACL 0 including the above statements and check if NAT happening (sh xlate) and the

    traffic is being encryption (sh cry ips its)

    Federico.

  • L2l VPN with IPSEC NAT

    Hi all!

    I have a question about L2L VPN and NAT.

    Can I set up the VPN tunnel between two ASAs or routers using the NAT translation from within the private IP addresses to a single public IP address outside the interface and then implement interesting crypto with the source of the public IP address and the destination of the remote private network on the other end (also ASA). For example, I want to translate a private network to the public ip address at one end and use the VPN tunnel with a public IP address as the source. Policy-NAT is not an option, because we really do not want to provide any IP address to the remote end, and IP addresses of the remote end can overlap with our end.

    Thank you!

    Hello

    You can definitely set up an IPSec tunnel between two devices in the translation of your subnet in a single public IP address. You just create the translation and as you mentioned define interesting traffic using the public IP address.

    This is exactly what we call political NAT, I don't understand why you say that NAT policy is not an option. Perhapps you misunderstood concept NAT policy or I misunderstood your question.

    For example, assuming that the LAN private at your side is 172.16.1.0/24, the remote subnet is 192.168.150.0/24, and that the public IP address that you want to use is 200.200.200.200 your NAT config should look like this:

    access-list 199 permit ip 172.16.1.0 255.255.252.0 192.168.150.0 255.255.255.0

    Global (outside) 6 200.200.200.200

    NAT (inside) 6 access-L199

    Which would be NAT traffic to the public IP address only when the traffic matches the ACL.

    Your ACL crypto should then be something like

    cryptomap list of allowed access host ip 200.200.200.200 192.168.150.0 255.255.255.0

    That would hide your address real and all they see is the public IP address you give them. Note that since the NAT takes place on your side your side will be able to raise the tunnel.

    I hope this helps.

    Raga

  • Application of VPN S2S (with NAT)

    Hello experts,

    ASA (8.2) and standard Site 2 Site Internet access related configs.

    Outside: 1.1.1.1/24-> peer IP VPN S2S.

    Inside: Pvt subnets

    Standard "Nat 0' orders and crypto ACL for our remote offices, local networks with IP whp program.

    Requirement:

    Need to connect the PC to external clients (3.3.3.3 & 4.4.4.4) on tcp/443 via vpn S2S on our LAN. Client only accepts only the host with public IPs.

    I need NAT to my internal IP to the public IP say 1.1.1.2 and establish the VPN tunnel between 1.1.1.1-> PRi Client-side & secondary IPs (Cisco router).

    (without losing connectivity to remote offices). No policy NAT work here?

    ex:

    My Intern: 10.0.0.0/8 and 192.168.0.0/16
    Assigned IP available for NAT (some time to connect to the client only): 1.1.1.5

    External client LAN IPs: 3.3.3.3 & 4.4.4.4

    PAT: permit TOCLIENT object-group MYLAN object-group CUSTOMER LAN ip extended access-list

    NAT (inside) 5-list of access TOCLIENT

    5 1.1.1.5 (outside) global
        
     Crypto: tcp host 1.1.1.5 allowed extended CRYPTO access list object-group CUSTOMER LAN eq 443

    Outsidemap 1 crypto card matches the address CRYPTO
     
    Customer will undertake to peer with IP 1.1.1.1 only.

    Do I need a ' Nat 0' configs here?

    Also, for the specifications of the phase 2, it is not transform-set options gives. Info given was

    Phase2: AH: people with mobility reduced, life: 3 600 s, PFS: disabled, LZS Compression: disabled.
    This works with options of the phase 2?

    Thanks in advance

    MS

    Hello

    «Existing NAT (inside) 1 & global (outside) does not interfere with NAT 5 when users try to reach the ClientLAN.»

    Your inside nat index is '1', while the dynamic policy-nat is index '5 '.

    "" For the phase 2 in general, we define Crypto ipsec transform-set TEST ".

    Sure, the remote tunnel peers even accept transform set, everything you put up with the example below and distant homologous put the same tunnel.

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    "In this scenario, no need to define any what and just add empty transform don't set statement under card crypto?

    No you need a defined transformation.

    "3. If we want to limit the destination port 443, I need to use separate VPN filters?

    That's right, use a vpn-filter.

    "4. we have several phase 1 configs, but wanted to use AES256 & DH5 (new policy)"... for s2s, these options work fine. ""

    Of course, you have set the phase 1, as required.

    Thank you

    Rizwan James

  • IOS - help with VPN IPsec L2L with NAT

    Hello guys

    I tried to get VPN to work for a specific scenario where I do NAT for VPN traffic to avoid the duplication of subnet.

    I found several guides on cisco.com, but all the ones I found does not (or how) overload NAT (for internet traffic), I need for my setup.

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800b07ed.shtml

    http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

    Basically, I need to know how the configuration looks like when make you static NAT in a VPN tunnel as well as provide internet connectivity using NAT in the same router?

    I have attached a drawing that needs to better explain my needs.

    Someone knows a guide that shows how to do this?

    Best regards

    Jesper

    You can use a static policy NAT NAT the traffic:

    access-list 101 permit ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255

    access-list 102 deny ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255

    access-list 102 permit ip 10.0.0.0 0.0.0.255 any

    policy-NAT allowed 10 route map

    corresponds to the IP 101

    internet-NAT allowed 10 route map

    corresponds to the IP 102

    IP nat inside source static network 10.0.0.0 road policy-NAT 10.30.10.0/24-feuille

    IP nat inside source map route internet-NAT interface overloading

    Hope that helps.


Maybe you are looking for