W/overlapping VPNs
I'll be setting up a VPN site to site between 2 sites. Site A is local and site B is remote. Site B is another company that will run software on a server at the Site. I don't have access to some of the equipment at site B.
Here's the question... Site B has several VPN tunnels with other clients of thiers. One of their existing tunnels is already configured with the same subent as Site A. Thus, they cannot use the same subnet for our VPN configuration. The Site a subnet is 192.168.11.0/24 and cannot be changed due to some equipment that is coded with the IP information hard. For example, Site B wants to use 10.133.6.0/32. I need to translate the 10.133.6.0/32 at my local so that traffic can pass through the VPN. In the end, the server is the only thing that you have to cross the tunnel. It's IP is 192.168.11.55.
I have a Cisco ASA 5505 and I use the ASDM to configure the tunnel.
Any help would be appreciated.
Thank you
Mike
Hello Mike,.
OK, so here's what you'll need:
access-list some allow ip 192.168.11.0 255.255.255.0 site_b_subnet 255.255.255.0
NAT (inside) 11-list of access regardless
Global (inside) 11 10.133.6.0 255.255.255.0
Now on the ACL crypto for VPN traffic between site A and B
VPN_whatever ip 10.133.6.0 access list allow 255.255.255.0 site_b_subnet 255.255.255.0
That's all you need on the site! On site B all you have to do is to configure the ACL crypto with the
10.133.6.0 subnet of.
access-list allowed VPN_whatever site_b_subnet ip 255.255.255.0 10.133.6.0 255.255.255.0
That's all!
Let me know if you have any questions,
Note all useful posts
Julio
Safety engineer
Tags: Cisco Security
Similar Questions
-
VPN does not work with the ip address of overlap?
When I plugged my adsl router and I have ip address is 10.1.1.1/8 can I use remote access vpn closing on firewall and authentication works very well and I put the ip address of the pool is 10.7.0.1/16 but I can not access this local lan if I made up of my pc and got 2x2.102.x.y ip address then I connected I can't access no problem local network and vpn remote access authentication.
It is question of routing on pc with overlapping ip or not?
Please clarify or provide useful link
Thank you
Hello
It seems that it is a problem of nat - t.
Make sure that the head of VPN network has "isakmp nat - t" (if that's a PIX). If a hub, make sure that "IPsec NAt - T" is enabled.
Additionally, make sure that on the client, "Enable Transparent tunneling" is checked, with IPSec over UDP NAT/PAT selected.
HTH,
-Kanishka
-
NAT overlapping with remote VPN access
Hi all
My client has an ASA 5510 at the main location. We're shooting for their remote access VPN SSL needs. 30 or so remote users.
The problem is that the main site has a number of network 192.168.1.0/24. The number of Linksys routers bought on shelf at any store of default.
Obviously, by default, it does not work. When users connect to the VPN from home, it connects but network resources are not available.
I read about overlapping NAT with tunnels of site to another, but that all remote access? Is it possible as well?
Any help to point me in the right direction would be much appreciated.
Thank you!
Look at the PIX / ASA 7.x and later: VPN Site to Site (L2L) with the example of setting up IPsec policy NAT (overlapping of private networks) for more information
-
Several tunnels to Datacenter VPN with overlapping networks
Hello guys,.
We are starting to host applications for customers who need trusts (maybe?) Windows and full access to a class C subnet in our IP data center.
My problem is most of our customers are small MOM and pop stores IPed to 192.168.1.x. I intend to install my own Cisco ASA in each of these sites and create a VPN to the data center to access the application. The last 2 sites I've done, I have re-IPed network to a mine plan. I start to run in many customers that we simply host the app for and I can't really make them Re - IP network if they do not want.
My question is what are my options here? I guess some kind of NAT, but I don't really know how it works. With a Windows trust communication must be 2 tracks. If we did not trust, I could see this work without problem with a simple NAT right? Firewall guy would you NAT on? The remote end or Data Center?
Any help and advice is appreciated.
I'm a complete network of Cisco, ASAs, catalysts, routers, etc...
Hi Billy,
Basically, for the overlap of networks, you will run natting on both sites for interesting traffic.
If you have networks that overlap, you can follow this link if you use Cisco ASA and this link for Cisco routers as a VPN endpoint devices.Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
VPN router to router with overlapping of internal networks
Hello Experts,
A small question. How to configure a VPN router to router with overlap in internal networks?
Two of my internal networks have ip address 192.168.10.0 and 192.168.10.0
No link or config will be appreciated. I searched but no luck.
Thank you
Randall
Randall,
Please see the below URL for the configuration details:
Configure an IPSec Tunnel between routers with duplicate LAN subnets
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800b07ed.shtml
Let me know if it helps.
Kind regards
Arul
* Please note all useful messages *.
-
VPN from Site to Site subnets overlap
Hello everyone,
I have little of ASA with Site to Site tunnels for 1 Hub Site.
All sites through the tunnel to all traffic to the Hub ASA. (0.0.0.0/0)
Internet access is provided via the Hub of ASA.
Now, I need to create VPN site from each location to a different Hub ASA 10.10.0.0/16 destined.
During the creation of the tunnel, I get the error of overlapping subnets via the previous tunnel (0.0.0.0/0).
How can I possibly have 2 tunnels?
A 0.0.0.0/0 - Interesting traffic tunnel-
B - Interesting traffic - 10.10.0.0/16-tunnel
Thanks in advance!
Hello
I'm not 100% sure about from this that I have not been tested or had to do a similar before mounting.
But you can try several things
- Add an ACL statement at the TOP of the existing VPN L2L as a Deny statement. The ASA will give an error/warning message after that.
- access-list deny ip 10.10.0.0 255.255.0.0
- Configure the specific highest order number in the "crypto map" configurations and see if that helps
- 10 set peer crypto card
- map 1 set crypto peer
You can naturally use 'packet - trace' and other commands of diagnosis to confirm that the current VPN L2L does not account the destination network 10.10.0.0/16
Hope this helps
-Jouni
- Add an ACL statement at the TOP of the existing VPN L2L as a Deny statement. The ASA will give an error/warning message after that.
-
Here is my config complete.
Here are a few notes
IP, obtained from the VPN 10.250.128.X
LAN IP 192.168.0.0/24
My atm VPN works #1 for those who don't
What I want to do is Nat my VPN for this
Example I want to access the computer 192.168.0.2 on the LAN of the company
I want to hit the PC (which is connected to the VPN) 192.168.200.2 and Cisco will convert 192.168.200.2 to 192.168.0.2 to be able to access my PC at work
Of course, I think about being able to do the other side also. (192.168.0.2 to 192.168.200.2 to be able to send the package back (not sure on this)
Can guys, help me, it's the ATM out of my knowledge and I
ASA Version 8.2 (1)
!
Terminal width 250
hostname hostname
turn on d0/xPtlKePBzdYTe of encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 10.0.128.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
10 speed
full duplex
!
interface Ethernet0/1
10 speed
full duplex
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa821 - k8.bin
passive FTP mode
grp_outside_in tcp service object-group
Description Ports require for internal transfer
EQ smtp port object
EQ port ssh object
access list inside-out extended ip allowed any one
access list inside-out extended permit icmp any one
permit no_nat to access extended list ip 192.168.0.0 255.255.0.0 10.250.128.0 255.255.255.0
list access tunnel extended split ip 192.168.0.0 allow 255.255.20.0 10.250.128.0 255.255.255.0
access-list extended 100 permit ip 10.250.128.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list extended 100 permit icmp 10.250.128.0 255.255.255.0 192.168.0.0 255.255.255.0
access list 101 scope ip allow a whole
access-list 101 extended allow icmp a whole
pager lines 34
Enable logging
timestamp of the record
debug logging in buffered memory
recording of debug trap
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool mobilepool 10.250.128.100 - 10.250.128.130 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access no_nat
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 10.0.128.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac floating
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dyn1 1 set transform-set floating
Crypto-map dynamic dyn1 1jeu reverse-road
mobilemap 1 card crypto ipsec-isakmp dynamic dyn1
mobilemap interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 192.168.0.0 255.255.255.0 inside
SSH 10.0.128.0 255.255.255.0 inside
SSH timeout 5
SSH version 2
Console timeout 0
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal vpn group policy
attributes of vpn group policy
VPN - 50 simultaneous connections
VPN-idle-timeout 2000
VPN-session-timeout 2000
internal mobile_policy group policy
attributes of the strategy of group mobile_policy
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value
admin N2TJh8TeuGc7EOVu encrypted privilege 15 password username
user1 gLGaPhl70GqS8DhN encrypted password username
password encrypted user user2 Y7.fXmPk3FvKUGOO name
type tunnel-group mobilegroup remote access
tunnel-group mobilegroup General-attributes
address mobilepool pool
Group Policy - by default-mobile_policy
mobilegroup group of tunnel ipsec-attributes
pre-shared-key *.
!
Global class-card class
match default-inspection-traffic
inspection of the class-map
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:012d58f20bdf997d1e7b6927431e0015
: end
Hi Mr. Gyslain,
So, if I understand, you want the following things
- Local NAT LAN 192.168.0.0/24 to 192.168.200.0/24 for VPN Client users to their local network does not overlap with your local network while they are connected
To my knowledge, you should be able to handle this with the following changes to your configurations
- Configure policy NAT
- Changes to the rules of Tunnel from Split
- Remove the existing NAT0 rule
Here are some example configurations I think that need to manage the situation. Of course make sure you have the old configuration at hand if you need to return to the old
Remove the NAT0 rule
- no nat (inside) 0-list of access no_nat
- No no_nat access ip 192.168.0.0 scope list allow 255.255.0.0 10.250.128.0 255.255.255.0
By removing the above configuration, we want to avoid LAN projection with its originating IP address to the user from the VPN Client.
Creating policy NAT
- access list permit VPN-CLIENT-POLICY-NAT ip 192.168.0.0 255.255.255.0 10.250.128.0 255.255.255.0
- public static 192.168.200.0 (inside, outside) - list of access VPN-CLIENT-POLICY-NAT netmask 255.255.255.0
With the above configuration, we mean the ASA NAT your local 192.168.200.0/24 LAN 192.168.0.0/24 WHEN connections are established at network 10.250.128.0/24 destination which is the pool of the VPN Client. This natutally works in two ways. Also note that if your host LAN IP address is, for example, 192.168.0.100, there a 192.168.200.100 NAT address.
Change the VPN Client Split tunnel
- standard of TUNNEL VPN-SPLIT-access list permits 192.168.200.0 255.255.255.0
- attributes of the strategy of group mobile_policy
Split-tunnel-network-list value TUNNEL VPN-SPLIT
The above configuration is intended to change your configurations of client VPN Split Tunnel ACL to a Standard ACL that indicates which networks to send to the VPN to your customer. In this case, it would be the new teeth of politics of 192.168.200.0/24 network. After configuring the ACL you naturally set it up under the VPN settings.
I don't know if you have split tunnel configured at all because the configuration does not appear the ACL name at least. I know that you can at least have the "tunnelspecified" configuration line without specifying the actual ACL but do not know if what follows is a copy/paste problem or typo that should work with complete tunnel also.
With the above configuration, to my knowledge, everything should work.
-Jouni
EDIT: Some typos
Edit2: Name group policy was wrong
-
VPN client with overlapping of private networks?
I have a new client who needs to send us data occasionally, we normally install the Cisco VPN Client on their PC, but this client has the same private network, we.
I know, but it could be done with policy NAT on my 5510 ASA with a VPN site-to site, the customer does not want to change the address or network hardware. They have router cable with no VPN option, and they are unwilling to spend more money on this project.
Can this work if there is no overlapping of IP addresses?
Your ACL SHEEP overlaps the static NAT and SHEEP has priority over the static NAT strategy strategy, why it does not work.
Please kindly remove the following:
access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0
-
LAN-to-LAN IPsec VPN with overlapping networks problem
I am trying to connect to two networks operlapping via IPsec. I already have google and read
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b37d0b.shtml
Details:
Site_A use ASA 5510 with software version 8.0 (4) 32. Site_A use 10.100.0.0/24, 10.100.1.0/24 and 10.100.2.0/24 inside networks. 10.100.0.0/24 is directly connected to ASA (like vlan10), 10.100.1.0/24 and 10.100.2.0/24 are routed.
Site_B use Linux box and networks 10.100.1.0/24, 10.100.2.0/24, 10.100.3.0/24 and so on (mainly 10.100.x.0/24). I have not implemented this ASA, we took over this infrastructure without other documentation whatsoever.
According to the above link I should use double NAT. Site_B will see the Site_A as 10.26.0.0/22 networks, and Site_A see networks in Site_B as 10.25.0.0/24. Site_A is allowed access only 10.100.1.0/24 in the Site_B, and Site_B is allowed access to all the networks of the Site_A 10.100.x.0/24 - so / 22 10.26.0.0/22 mask. I would like, for example, ssh to host in the Site_B to host the Site_A using 10.26.1.222 as the destination ip address (and it should be translated in 10.100.1.222 on the side Site_A). I'm looking for something like ip nat type match-host in Cisco routers - I want to translate only a part of the network address leave the intact host Party. Anyway, following the steps from the link displayed above everything is ok until the command:
static (companyname, outside) 10.26.0.0 access list fake_nat_outbound
which translates into:
WARNING: address real conflict with existing static
TCP companyname:10.100.0.6/443 to outside:x.x.x.178/443 netmask 255.255.255.255
WARNING: address real conflict with existing static
TCP companyname:10.100.0.20/25 to outside:x.x.x.178/25 netmask 255.255.255.255
WARNING: address real conflict with existing static
TCP companyname:10.100.0.128/3389 to outside:x.x.x.178/50000 netmask 255.255.255.255
WARNING: address real conflict with existing static
TCP companyname:10.100.0.26/3389 to outside:x.x.x.181/2001 netmask 255.255.255.255
WARNING: address real conflict with existing static
TCP companyname:10.100.0.27/3389 to outside:x.x.x.181/2002 netmask 255.255.255.255
WARNING: address real conflict with existing static
TCP companyname:10.100.0.28/3389 to outside:x.x.x.178/2003 netmask 255.255.255.255
Those are redirects to port on Site_A used for mail, webmail, etc. What should I do to keep the redirects from the Internet to companyname vlan and at the same time to have work l2l ipsec tunnel linking networks that overlap?
Thank you in advance for any help or advice.
The ASA config snippet below:
!
ASA 4,0000 Version 32
!
no names
name 10.25.0.0 siteB-fake-network description fake NAT network to avoid an overlap of intellectual property
name 10.26.0.0 description of siteA-fake-network NAT fake network to avoid an overlap of intellectual property
!
interface Ethernet0/0
Shutdown
nameif inside
security-level 100
IP 10.200.32.254 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
IP address x.x.x.178 255.255.255.248
!
interface Ethernet0/2
No nameif
no level of security
no ip address
!
interface Ethernet0/2.10
VLAN 10
nameif companyname
security-level 100
IP 10.100.0.254 255.255.255.0
!
interface Ethernet0/2.20
VLAN 20
nameif wifi
security-level 100
the IP 10.0.0.1 255.255.255.240
!
interface Ethernet0/2.30
VLAN 30
nameif dmz
security-level 50
IP 10.0.30.1 255.255.255.248
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 10.100.100.1 255.255.255.0
management only
!
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
Group of objects in the inside network
object-network 10.100.0.0 255.255.255.0
object-network 10.100.1.0 255.255.255.0
object-network 10.100.2.0 255.255.255.0
DM_INLINE_TCP_1 tcp service object-group
port-object eq 2221
port-object eq 2222
port-object eq 2223
port-object eq 2224
port-object eq 2846
DM_INLINE_TCP_5 tcp service object-group
port-object eq ftp
port-object eq ftp - data
port-object eq www
EQ object of the https port
object-group service DM_INLINE_SERVICE_1
the eq field tcp service object
the eq field udp service object
DM_INLINE_TCP_6 tcp service object-group
port-object eq 2221
port-object eq 2222
port-object eq 2223
port-object eq 2224
port-object eq 2846
the DM_INLINE_NETWORK_1 object-group network
object-network 10.100.0.0 255.255.255.0
object-network 10.100.2.0 255.255.255.0
standard access list securevpn_splitTunnelAcl allow 10.100.0.0 255.255.255.0
outside_access_in list extended access permit tcp any host x.x.x.178 eq 50000
outside_access_in list extended access permit tcp any host x.x.x.178 eq smtp
outside_access_in list extended access permit tcp any host x.x.x.178 eq https
outside_access_in list extended access permit tcp any host x.x.x.179 DM_INLINE_TCP_1 object-group
outside_access_in list extended access permit tcp any host x.x.x.181 eq ftp
outside_access_in list extended access permit tcp any host x.x.x.181 eq ftp - data
outside_access_in list extended access permit tcp host 205.158.110.63 eq x.x.x.180 idle ssh
access extensive list ip 10.100.0.0 inside_access_in allow 255.255.255.0 10.100.1.0 255.255.255.0
inside_access_in list extended access allowed ip-group of objects to the inside network 10.100.99.0 255.255.255.0
inside_access_in list extended access allowed ip-group of objects to the inside network 10.0.30.0 255.255.255.248
inside_access_in list extended access permit tcp host 10.100.0.6 any eq smtp
inside_access_in list extended access permitted tcp object-group network inside any eq www
inside_access_in list extended access permitted tcp object-group network inside any https eq
inside_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any eq ftp - data
inside_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any ftp eq
inside_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 9999
inside_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 3389
inside_access_in list extended access allowed object-group network inside udp any eq field
companyname_access_in list extended access allowed ip-group of objects to the inside network 10.100.1.0 255.255.255.0
companyname_access_in list extended access allowed ip-group of objects to the inside network 10.100.99.0 255.255.255.0
companyname_access_in list extended access allowed ip-group of objects to the inside network 10.0.30.0 255.255.255.248
companyname_access_in list extended access permit tcp host 10.100.0.6 any eq smtp
companyname_access_in list extended access permitted tcp object-group network inside any eq www
companyname_access_in list extended access permitted tcp object-group network inside any https eq
companyname_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any eq ftp - data
companyname_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any ftp eq
companyname_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 9999
companyname_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 3389
companyname_access_in list extended access allowed object-group network inside udp any eq field
wifi_access_in list extended access permitted tcp 10.0.0.0 255.255.255.240 host 10.100.0.40 eq 2001
access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.100.99.0 255.255.255.0
access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.0.0.0 255.255.255.240
access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.0.30.0 255.255.255.248
access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.100.2.0 255.255.255.0
access extensive list ip 10.100.2.0 companyname_nat0_outbound allow 255.255.255.0 10.0.30.0 255.255.255.248
access extensive list ip 10.100.1.0 companyname_nat0_outbound allow 255.255.255.0 10.100.99.0 255.255.255.0
access extensive list ip 10.100.2.0 companyname_nat0_outbound allow 255.255.255.0 10.100.99.0 255.255.255.0
wifi_nat0_outbound to access ip 10.0.0.0 scope list allow 255.255.255.240 10.100.0.0 255.255.255.0
dmz_access_in list extended access permitted tcp 10.0.30.0 255.255.255.248 any DM_INLINE_TCP_5 object-group
dmz_access_in list extended access permitted tcp 10.0.30.0 255.255.255.248 host 10.100.0.2 object-group DM_INLINE_TCP_6
dmz_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 10.0.30.0 255.255.255.248 object-group DM_INLINE_NETWORK_1
dmz_access_in list extended access deny ip 10.0.30.0 255.255.255.248 all
access extensive list ip 10.0.30.0 dmz_nat0_outbound allow 255.255.255.248 10.100.0.0 255.255.255.0
access extensive list ip 10.0.30.0 dmz_nat0_outbound allow 255.255.255.248 10.100.99.0 255.255.255.0
access extensive list ip 10.0.30.0 dmz_nat0_outbound allow 255.255.255.248 10.100.2.0 255.255.255.0
outside_1_cryptomap to access extended list ip 10.26.0.0 allow 255.255.252.0 10.25.0.0 255.255.255.0
access extensive list ip 10.100.0.0 fake_nat_outbound allow 255.255.252.0 10.25.0.0 255.255.255.0
IP local pool clientVPNpool 10.100.99.101 - 10.100.99.199 mask 255.255.255.0
IP verify reverse path inside interface
IP verify reverse path to the outside interface
IP audit name IPS attack action alarm down reset
IP audit name IPS - inf info action alarm
interface verification IP outside of the IPS - inf
verification of IP outside the SPI interface
NAT-control
Global (inside) 91 10.100.0.2
Global (inside) 92 10.100.0.4
Global (inside) 90 10.100.0.3 netmask 255.255.255.0
Global interface 10 (external)
Global x.x.x.179 91 (outside)
Global x.x.x.181 92 (outside)
Global (outside) 90 x.x.x.180 netmask 255.0.0.0
interface of global (companyname) 10
Global interface (dmz) 20
NAT (outside) 10 10.100.99.0 255.255.255.0
NAT (companyname) 0-list of access companyname_nat0_outbound
NAT (companyname) 10 10.100.0.0 255.255.255.0
NAT (companyname) 10 10.100.1.0 255.255.255.0
NAT (companyname) 10 10.100.2.0 255.255.255.0
wifi_nat0_outbound (wifi) NAT 0 access list
NAT (dmz) 0-list of access dmz_nat0_outbound
NAT (dmz) 10 10.0.30.0 255.255.255.248
static (companyname, outside) tcp https 10.100.0.6 https interface subnet 255.255.255.255 mask
static (companyname, outside) tcp interface smtp 10.100.0.20 smtp netmask 255.255.255.255
static (companyname, outside) interface 50000 10.100.0.128 TCP 3389 netmask 255.255.255.255
static (companyname, external) x.x.x.181 2001 10.100.0.26 TCP 3389 netmask 255.255.255.255
static (companyname, external) x.x.x.181 2002 10.100.0.27 TCP 3389 netmask 255.255.255.255
static (companyname, outside) interface 2003 10.100.0.28 TCP 3389 netmask 255.255.255.255
static (dmz, outside) tcp x.x.x.181 ftp 10.0.30.2 ftp netmask 255.255.255.255
static (companyname, companyname) 10.100.1.0 10.100.1.0 netmask 255.255.255.0
static (companyname, companyname) 10.100.2.0 10.100.2.0 netmask 255.255.255.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Access-group companyname_access_in in interface companyname
Access-group wifi_access_in in wifi interface
Access-group dmz_access_in in dmz interface
Route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
Companyname route 10.0.1.0 255.255.255.0 10.100.0.1 1
Companyname route 10.100.1.0 255.255.255.0 10.100.0.1 1
Companyname route 10.100.2.0 255.255.255.0 10.100.0.1 1
dynamic-access-policy-registration DfltAccessPolicy
!
Crypto-map dynamic outside_dyn_map 20 set pfs
Crypto-map dynamic outside_dyn_map 20 the transform-set ESP - 3DES - SHA TRANS_ESP_3DES_MD5 value
life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds
Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000
PFS set 40 crypto dynamic-map outside_dyn_map
Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA
life together - the association of security crypto dynamic-map outside_dyn_map 40 28800 seconds
Crypto-map dynamic outside_dyn_map 40 kilobytes of life together - the association of safety 4608000
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
outside_map 1 counterpart set a.b.c.1 crypto card
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
!
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of server WINS 10.100.0.3
value of server DNS 10.100.0.3
nom_societe.com value by default-field
internal DefaultRAGroup_1 group strategy
attributes of Group Policy DefaultRAGroup_1
value of server DNS 10.100.0.3
Protocol-tunnel-VPN l2tp ipsec
internal group securevpn strategy
securevpn group policy attributes
value of server WINS 10.100.0.3 10.100.0.2
value of 10.100.0.3 DNS server 10.100.0.2
VPN-idle-timeout 30
Protocol-tunnel-VPN IPSec
nom_societe.com value by default-field
attributes global-tunnel-group DefaultRAGroup
address clientVPNpool pool
authentication-server-group COMPANYNAME_AD
Group Policy - by default-DefaultRAGroup_1
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group securevpn type remote access
tunnel-group securevpn General attributes
address clientVPNpool pool
authentication-server-group COMPANYNAME_AD
Group Policy - by default-securevpn
tunnel-group securevpn ipsec-attributes
pre-shared-key *.
tunnel-group securevpn ppp-attributes
ms-chap-v2 authentication
tunnel-group a.b.c.1 type ipsec-l2l
a.b.c.1 group tunnel ipsec-attributes
pre-shared-key *.
Are you sure that static-config does not make to the running configuration?
By applying this 'static big' you're essentially trying to redirect the ports, which have already been transmitted by the rules in your existing configuration. This explains the caveat: what you are trying to do has some overlap with existing static.
(Sorry for the use of the transmission of the word, but this behavior makes more sense if you look at it like this; although "port forwarding" is not Cisco-terminology.)
But... whenever I stumbled upon this question, the warning was exactly that: a WARNING, not an ERROR. And everything works as I want it to work: the specific static in my current config simply have priority over static grand.
If you would like to try to do the other opposite you would get an error (first static major, then try to apply more specific) and the config is not applied.
So could you tell me the config is really not accepted?
-
IP overlapping between VPN remote access and within the interface
Hi all
I tried to replace an ASA and configured vpn for remote access using cisco VPN client.
Remote access users are not able to access within the network, but have no problem accessing the network through a VPN site-to site.
One thing to note is that remote access VPN users are assigned an ip address of 10.X.3.1 - 10.X.3.200 mask 255.255.255.0. The inside interface is on 10.X.1.2 255.255.0.0.
Remote access users will have no problem to access within the network if the pool of the vpn client is changed to 192.168.1.1 to 192.168.1.100.
ASA errors
6 January 7, 2012 16:25:08 302013 10.X.3.1 27724 3389 10.X.1.66 built of TCP connections incoming 20940 for outside:10.X.3.1/27724 (10.X.3.1/27724)(LOCAL\Cisco) at inside:10.X.1.66/3389 (10.X.1.66/3389) (Cisco)
6 January 7, 2012 16:25:08 106015 10.X.1.66 3389 10.X.3.1 27724 Deny TCP 10.X.1.66/3389 to 10.X.3.1/27724 flags SYN ACK on dmz interface (no link)
I understand that the overlap between access ip address range remote vpn network interface network and inside will cause routing problems, but why the syn - ack makes its appearance in the DMZ interface? The interface of the DMZ is on ip address 172.16.Y.1 255.255.255.0.
I intend to reduce the interface 10.X.0.0 255.255.254.0 inside if it is in fact a routing problem due to the IP address that overlap, but I understand why the syn - ack comes from the dmz interface and the diagnosis of the problem is correct. I check with the customer and was informed that the existing design works on an another ASA with no such problems.
I agree what you said and also tried, but it does not work.
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml#overlap
Solution, that you already know
Solution
Always ensure that the IP addresses in the pool should be assigned to VPN, network clients internal head unit and the internal network to the VPN Client must be in different networks. You can assign the same major network with different subnets, but sometimes the routing problems.
Thank you
Ajay
-
NAT on 8.3 and VPN tunnel with overlapping addresses
Hi all
I was looking at this document from Cisco and I think I understand how to convert the nat policy than the version 8.3 and later, but I was wondering what is happening to the acl crypto, you are always using the same as the older versions? As you know the 8.3 then NAT requires to use the original instead of the address translated to the ACL, but I don't know if this applies to crypto ACL as well. Pointers?
Example from the link:
access-list new extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0 !--- This access list (new) is used with the crypto map (outside_map) !--- in order to determine which traffic should be encrypted !--- and sent across the tunnel. access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 !--- The policy-nat ACL is used with the static !--- command in order to match the VPN traffic for translation.
static (inside,outside) 192.168.2.0 access-list policy-nat !--- It is a Policy NAT statement. !--- The static command with the access list (policy-nat), !--- which matches the VPN traffic and translates the source (192.168.1.0) to !--- 192.168.2.0 for outbound VPN traffic.
crypto map outside_map 20 match address new !--- Define which traffic should be sent to the IPsec peer with the !--- access list (new).
Thank you
V
Hi rc001g0241,
I posted your question for clarity sake along.
"what happens to the crypto acl, always use you even as older versions?"
As you can see, Cisco doc you posted shows that you need to target for crypto engine is what happens after the nat policy has succeeded, illustrated here: "address match map crypto outside_map 20 new".
"As you know the 8.3 then NAT requires to use the original instead of the address translated to the ACL, but I don't know if this applies to crypto ACL as well. Pointers?
There is no such requirement and ACL target you in the engine crytop for the tunnel bound traffic can be a natted post address, that's what shows Cisco Doc and it is correct.
Hope that answers your questions.
Thank you
Rizwan James
-
PIX with VPN to Checkpoint with overlapping subnets
I have a client with a PIX runs code 6.3.
They need establish an IPSec Tunnel for one of its customers with a Checkpoint firewall.
Both organizations use 10.1.0.0/16 and I'd like to nat to 10.180.0.0 Home Office 16 and the remote client to 10.181.0.0.
The document on the site Web of Cisco PIX and VPN concentrators is less useful. I don't think the text describing the image is correct.
Help with ACL and static NAT is greatly appreciated.
Frederik
Apologies, should have asked. Which office has the pix and the control point. I write this as if the two ends were firewall pix so that's fine and we can see if that helps.
Remote endpoint
==========
NAT 10.1.0.0 ip access list allow 255.255.255.0 host 10.180.1.103
NAT (inside) 3 access list NAT
Global (outside) 10.181.0.0 255.255.0.0
NOTE: You could really just NAT addresses 10.1.x.x from source to a global IP address rather than the whole 10.181.0.0/16 up to you.
Your card crypto access list must then refer to the addressing of Natted 10.181.x.x rather than the 10.1.0.0 address.
vpntraffic list access ip 10.181.0.0 255.255.0.0 allow host 10.180.1.103
Main office
===========
crpyto-access list should read
vpntraffic list allowed access host 10.180.1.103 ip 10.181.0.0 255.255.0.0
And you will need a static translation for client access
public static 10.180.1.103 (Interior, exterior) 10.1.1.103 netmask 255.255.255.255
Does that help?
Jon
-
[VPN Site-to-Site] Network that overlap
Hello
We have a Cisco ASA 9.1 and many VPN clients that work very well to this topic.
Now, he must connect to a partner with VPN Site to Site site.
We have a few problems:
- Duplication of IP address (we use 10.145.0.0/16 10.0.0.0/8 and partner use)
- Partner cannot use NAT on the router
What are the best solutions to configure the VPN Site to Site?
Thanks for your help,
Patrick
Hi Patrick,
Best option here is that you can specify the required subnets only in the field of /encryption cryptomap...
said in other 10.0.0.0/8 need access only a few subnets 10.1.0.0/24, 10.10.20.0/24... You can specify only in your crypto acl... Alternatively, you can use refuse instruction for the specific 10.145.0.0/16 crypto card but am not sure if this gives you the best result.
If you have the required access is mixed with several 10.x.x.x/8 instructions... then you can have the crypto ACL like sub areas of encryption... Here you jump only 10.145.0.0/16 of the subnet range...
10.0.0.0/9 to 10.145.0.0/16
10.128.0.0/12 to 10.145.0.0/16
10.146.0.0/15 to 10.145.0.0/16
10.148.0.0/14 to 10.145.0.0/16
10.152.0.0/13 to 10.145.0.0/16
10.160.0.0/11 to 10.145.0.0/1610.192.0.0/10 to 10.145.0.0/16
but make sure you have not all servers in 10.145.0.0/16 on your local network that the client requires access...
Link to have refuse to crypto ACL'; s
https://supportforums.Cisco.com/discussion/10909276/crypto-ACL-question
Concerning
Knockaert
-
Tunnel from site to site VPN that overlap within the network
Hi all
I need to connect 2 networks via a tunnel VPN site to site. On the one hand, there is a 506th PIX by the termination of the VPN. The other side, I'm not too sure yet.
However, what I know, is that both sides of the tunnel using the exact same IP subnet 192.168.1.0/24.
This creates a problem when I need to define the Routing and the others when it comes to VPN and what traffic should be secure etc.
However, read a lot for the review of CERT. Adv. Cisco PIX and noticed that outside NAT can solve my 'small' problem.
That's all it is said, but I'd really like to see an example of configuration of this or hear from someone who has implemented it.
Anyone?
Steffen
How is it then?
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800949f1.shtml
-
Problem VPN site to Site with overlapping networks
We currently have a PIX 515E firewall as a headboard with many tunnels of site-to-site configured for her with the enpoints of PIX 506. Our internal LAN addressing scheme is 172.18.0.0 255.255.0.0. Addresses of local network in two of the remote networks with congigured VPN site-to-site are 172.18.107.0 255.255.255.224 and 172.18.107.32 255.255.255.0. Remote network access to all services on our internal network very well. We have 20 other network segments configured the same way. The 172.18.107.32.0 network needs to communicate with the 172.18.107.0 network for the services of file on the other remote PIX. Since the station PIX will not allow traffic to leave the same interface it came we thought with him we would just set up a tunnel from site to site between the two remote LAN. After the configuration of the site to another remote firewalls do not appear to try to establish tunnels when sending valuable traffic. I turned on debug for ISAKMP and nothing is either sent or received on a remote Firewall with regard to these tunnels. It's almost like since we already have a tunnel set to our 172.18.0.0 internal LAN that the remote PIX will not build specifically to 172.18.107.0 tunnel. I am able to ping each remote peer with each other and hear protection rules, but nothing has ever been established.
Is what we are trying to do possible? Sorry for the long post but the kind of a strange scenario. Thanks in advance for any help.
In what order are the numbers of seqence card crypto for configuring vpn on pix distance units? It could be that you are trying to install is a lot and will be checked later as head of pix. If this is the case, then yes the 172.18/16 road prevail the 172.18.107/24. Try to rebuild the entrance card crypto with a lower number so that traffic to 172.18.107/24 comes first.
I would like to know how it works.
Maybe you are looking for
-
Firefox displays no description of the object while in EBAY.
In Firefox I log onto EBAY. Any article I call does not display the description, or don't have IE 8. I improved IE 8 to IE 9 and EBAY now works in IE 9.I triggered the message false site wed. I installed the latest Firefox, Realplayer and Flash playe
-
Impossible to get a sound of sony computer
Original title: my vaio sony says my audio player works well... but I still aint get no sound from my speakers my vaio sony says my audio player works well... but I still aint get no sound from my speakers
-
I downloaded the drivers needed from the Dell site and the burner will not work. The computer was again in March 2009. Not sure where the drivers should be located. I downloaded on: win\syswow64\drivers\afc.sys. I've looked everywhere and tried to fi
-
Installation of Microsoft Works 9.0
I have years of files revenue and expense of database Works dating back to 2005. Now I get this new laptop and I find that I can't use my Microsoft Works version 9.0 to access older files or continue with new ones. I have Microsoft Works 9.0 CD drive
-
Hello I know how to recover a QML from C++ object. For example, if myObj is a component TextArea, I can change the text like this: QObject *obj = appPage->findChild("myObj"); if (myObj){ myObj->setProperty("text", "hello"); } Now, I would get the Dat