With NAT VPN tunnels

I have read on several posts on the topic and still think I'm missing something, I'm looking for help.

Basically, I'm now implementing multiple VPN tunnels for external connections. We strive to keep the external "private addresses" our basic using NAT network.

I can get the Tunnel to work without problems using the ACL SHEEP; However, this technique requires that our internal network is aware of their external addresses "private." Our goal is to enter an address on the inside that is NAT to the external address 'private' and then shipped via the VPN tunnel. Basically to hide the external address 'private' of our internal systems that they would appear as thought the connection was one of our own networks.

The reverse is true coming from their external 'private' network. Any information of "their" private network external origin would result in our 'private' on arrival address space.

Is this possible? I am attaching a schema, which could help.

Hello

Yes, this should be possible. Lets say you allocate 10.112.2.250 as the address that you use to present the external server 192.168.10.10.

On your ASA device

public static 10.112.2.250 (exterior, Interior) 192.168.10.10 netmask 255.255.255.255

You will need to make sure that when the system tries to connect to 10.112.2.250 it is routed to the device of the SAA.

HTH

Jon

Tags: Cisco Security

Similar Questions

NAT VPN tunnel and still access Internet traffic

Hello

Thank you in advance for any help you can provide.

I have a server with the IP 192.168.1.9 that needs to access a subnet remote from 192.168.50.0/24, through the Internet. However, before the server can access the remote subnet, the server IP must be NAT'ed to 10.1.0.1 because the VPN gateway remote (which is not under my control) allows access to other customers who have the same subnet address that we do on our local network.

We have a 2801 Cisco (running c2801-advsecurityk9 - mz.124 - 15.T9.bin) set up to make the NAT. It is the only gateway on our network.

I have configured the Cisco 2801 with the following statements of NAT and the relevant access lists:

access-list 106 allow host ip 192.168.1.9 192.168.50.0 0.0.0.255

NAT extended IP access list
refuse the host ip 192.168.1.9 192.168.50.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ip permit 192.168.1.0 0.0.0.255 any

route allowed ISP 10 map
corresponds to the IP NAT

IP nat EMDVPN 10.1.0.1 pool 10.1.0.1 netmask 255.255.255.0
IP nat inside source list 106 pool EMDVPN
IP nat inside source map route ISP interface FastEthernet0/1 overload

When the server (192.168.1.9) attempts to ping on the subnet of 192.168.50.0/24 devices, the VPN tunnel is established successfully. However, after that, the server is no longer able to access the Internet because the NAT translation for 192.168.1.9 has changed since the external IP address of the router (FastEthernet0/1) at 10.1.0.1.

The documentation I've seen on the site of Cisco says that this type of Setup allows only host subnet communication. Internet access is not possible. However, maybe I missed something, or one of you experts can help me. Is it possible to configure the NAT router traffic destined to the VPN tunnel and still access the Internet by using the dynamic NAT on FastEthernet0/1?

Once again, thank you for any help you can give.

Alex

Hello

Rather than use a pool for NAT

192.168.1.9 - 10.1.0.1 > 192.168.50.x

ACL 102 permit ip 192.168.1.9 host 192.168.50.0 0.0.0.255

RM-STATIC-NAT route map permit 10
corresponds to the IP 102

IP nat inside source static 192.168.1.9 10.1.0.1 card expandable RM-STATIC-NAT route

ACL 101 deny host ip 192.168.1.9 192.168.50.0 0.0.0.255
ACL 101 by ip 192.168.1.0 0.0.0.255 any
overload of IP nat inside source list 101 interface FastEthernet0/1

VPN access list will use the source as 10.1.0.1... *.

Let me know if it works.

Concerning

M

Help with a VPN tunnel between ASA 5510 and Juniper SSG20

Hello

We have a customer wanting to configure a VPN Site to Site tunnel between a new purchased 5510 of ASA located in his direction with its Juniper SSG20 Office, located in the main office. We contacted HP and they send us a Cisco professional to do the job.

After 2 days from 16:00 to 22:00 and error and countless hours of research online and nunerous calls, we are still unable to get traffic from the network of agencies to enter the tunnel.

Main branch
1.1.1.2                                 1.1.1.1
-----                                               -----------
192.168.8.0/24 | ASA|-----------------------------------| Juniper |    192.168.1.0/24
-----                                               -----------
192.168.8.254 192.168.1.254

According to Cisco professionals, the tunnel is now in place but no traffic through. We are unable to ping anything on the network on the other side (192.168.1.0/24). We receive timeout ping all the time. The Cisco professional told us it's a routing or NAT problem and he's working on a solution!

Through research, I came across a post on Experts-Exchange (here) [the 1st comment on the original post] which States "...". that both sides of the VPN must have a different class of LAN for the VPN to work... " Would that be our problem?

It has become a critical issue to the point that he had to replace the Cisco ASA with a temporary Juniper SSG5 on another subnet (192.168.7.0/24) to get the tunnel upward and through traffic until the ASA VPN issue is resolved and I didn't need to say that the client is killing us!

Help is very appreciated.

Thank you

1. Yes, ping package from the interface of the ASA is considered valuable traffic to the LAN of Juniper.

SAA, need you traffic from the interface source ASA's private, because interesting to determine by crypto ACL MYLIST traffic between 192.168.8.0/24 and 192.168.1.0/24.

You will also need to add the following configuration to be able to get the ping of the interface of the ASA:

management-private access

To initiate the ping of the private interface ASA:

ping 192.168.1.254 private

2. the default time before the next generation of new key is normally 28800 seconds, and if there is no interesting traffic flowing between 2 subnets, he'll tear the VPN tunnel down. As soon as there is interesting traffic, the VPN tunnel will be built automatically into the next generation of new key. However, if there is traffic before generating a new key, the new tunnel will be established, and VPN tunnel will remain standing and continue encrypt and decrypt traffic.

Currently, your configuration has been defined with ITS lifetime of 3600 seconds GOLD / 4608000 kilobytes of traffic before the next generate a new key (it will be either 3600 seconds, or 4608000 kilobytes period expires first). You can certainly change it by default to 28800 seconds without configuring kilobytes. SA life is negotiated between the ASA and Juniper, and whatever is the lowest value will be used.

Hope that helps.

ASA5505 with 2 VPN tunnels failing to implement the 2nd tunnel

Hello

I have an ASA5505 that currently connects a desktop remotely for voip and data. I added a 2nd site VPN tunnel to a vendor site. It's this 2nd VPN tunnel that I have problems with. It seems that the PHASE 1 negotiates well. However, I'm not a VPN expert! So, any help would be greatly appreciated. I have attached the running_config on my box, debug (ipsec & isakmp) information and information about the provider they gave me today. They use an ASA5510.

My existing VPN tunnel (which works) is marked 'outside_1_cryptomap '. It has the following as interesting traffic:

192.168.1.0/24-> 192.168.3.0/24

192.168.2.0/24-> 192.168.3.0/24

10.1.1.0/24-> 192.168.3.0/24

-> 192.168.3.0/24 10.1.2.0/24

10.1.10.0/24-> 192.168.3.0/24

10.2.10.0/24-> 192.168.3.0/24

The new VPN tunnel (does not work) is labeled "eInfomatics_1_cryptomap". It has the following as interesting traffic:

192.168.1.25/32-> 10.10.10.83/32

192.168.1.25/32-> 10.10.10.47/32

192.168.1.26/32-> 10.10.10.83/32

192.168.1.26/32-> 10.10.10.47/32

Here's the info to other VPN (copy & pasted from the config)

permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.83

permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.83

permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.47

permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.47

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

card crypto outside_map 1 match address outside_1_cryptomap

peer set card crypto outside_map 1 24.180.14.50

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

card crypto outside_map 2 match address eInfomatics_1_cryptomap

peer set card crypto outside_map 2 66.193.183.170

card crypto outside_map 2 game of transformation-ESP-3DES-SHA

outside_map interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

tunnel-group 24.180.14.50 type ipsec-l2l

IPSec-attributes tunnel-group 24.180.14.50

pre-shared key *.

tunnel-group 66.193.183.170 type ipsec-l2l

IPSec-attributes tunnel-group 66.193.183.170

pre-shared key *.

Thanks in advance

-Matt

Hello

The seller put a parameter group2 PFS (Perfect Forward Secrecy) of Phase 2, so that you don't have it.

So you can probalby try adding the following

card crypto outside_map 2 pfs group2 set

I think he'll simply enter as

card crypto outside_map 2 set pfs

Given that the 'group 2' is the default

-Jouni

Question regarding full mesh with ASA5505 vpn tunnels.

I have 5 remote sites, all of which are connected to the internet through different Internet service providers. My plan was to do a VPN tunnels on each ASA L2L going to other sites (4 tunnels on each SAA). I was wondering if it's the best way to go about this or if I do something else? A full mesh is necessary in this case.

Thank you!

Jason

We don't know enough about your environment to give really good advice on what is best. But according to the description you provided I'd say a VPN L2L of each ASA to all other ASAs would be a very reasonable thing to do.

HTH

Rick

Public static political static NAT in conflict with NAT VPN

I have a situation where I need to create a VPN site-to site between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises where the LAN behind the Cisco ASA has the same subnet an existing VPN currently created on the Sonicwall. Since the Sonicwall cannot have two VPN both run on the same subnet, the solution is to use policy NAT on the SAA as well as for the Sonicwall, the new VPN seems to have a different subnet.

The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a private network virtual created for another customer with the same subnet). I try to translate it to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The ASA relevant configuration is:

interface Vlan1

IP 192.168.10.1 255.255.255.0

access extensive list ip 192.168.24.0 outside_1_cryptomap allow 255.255.255.0 10.159.0.0 255.255.255.0

list of access VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0

public static 192.168.24.0 (inside, outside) - list of VPN access

card crypto outside_map 1 match address outside_1_cryptomap

In addition, there are other static NAT instructions and their associated ACLs that allow certain traffic through the firewall on the server, for example:

public static tcp (indoor, outdoor) interface smtp SERVER smtp netmask 255.255.255.255

The problem is this: when I enter the static strategy statement NAT, I get the message ' WARNING: real-address conflict with existing static "and then it refers to each of the static NAT statements reflecting the external address to the server. I've thought about it, and it seemed to me that the problem was that policy NAT statement must be the first statement of NAT (it is the last one) so that it is run first and all traffic destined to the VPN to the Sonicwall (destination 10.159.0.0/24) tunnel would be properly treated. If I left him as the last statement, then the other static NAT statements would prevent a part of the 10.159.0.0/24 network-bound traffic to be correctly routed through the VPN.

So, I tried first to my stated policy NAT upward in the ASDM GUI interface. However, moving the declaration was not allowed. Then I tried to delete the five static NAT statements that point to the server (an example is above) and then recreate them, hoping that would then move up the policy statement NAT. This also failed.

What Miss me?

Hello

I assumed that we could have changed the order of the 'static' , the original orders, but as it did not work for some reason any then it seems to me that you suggested or change, that I proposed should work.

I guess that your purpose was to set up static political PAT for the VPN for some these services, then static PAT of public network access, then static NAT to policy for the rest of the network in-house.

I guess you could choose any way seems best for you.

Let me know if get you it working. I always find it strange that the original configuration did not work.

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary

-Jouni

Cisco Asa vpn site-to-site with nat

Hi all

I need help
I want to make a site from the site with nat vpn
Site A = 10.0.0.0/24
Site B = 10.1.252.0/24

I want when site A to site B, either by ip 172.26.0.0/24

Here is my configuration

inside_nat_outbound to access ip 10.0.0.0 scope list allow 255.255.255.0 10.1.252.0 255.255.255.0

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared-key!

ISAKMP retry threshold 10 keepalive 2

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
card crypto outside_map 2 match address inside_nat_outbound

card crypto outside_map 2 pfs set group5
card crypto outside_map 2 peers set x.x.x.x

card crypto outside_map 2 game of transformation-ESP-AES-256-SHA

NAT (inside) 10 inside_nat_outbound

Global 172.26.0.1 - 172.26.0.254 10 (outside)

but do not work.

Can you help me?

Concerning

Frédéric

You must ensure that there is no NAT 0 ACL statement because it will take precedence over the static NAT.

You don't need:

Global 172.26.0.1 - 172.26.0.254 10 (outside)

NAT (inside) 10 access-list nattoyr

Because it will be replaced by the static NAT.

In a Word is enough:

nattoyr to access ip 10.0.0.0 scope list allow 255.255.255.0 10.1.252.0 255.255.255.0

access extensive list ip 172.26.0.0 vpntoyr allow 255.255.255.0 10.1.252.0 255.255.255.0

public static 172.26.0.0 (inside, outside) - nattoyr access list

card crypto outside_map 2 match address vpntoyr

card crypto outside_map 2 pfs set group5

card crypto outside_map 2 defined peer "public ip".

card crypto outside_map 2 game of transformation-ESP-AES-256-SHA

outside_map interface card crypto outside

tunnel-group "public ip" type ipsec-l2l

tunnel-group "public ip" ipsec-attributes

pre-shared key *.

-Make sure that it not there no NAT ACL 0 including the above statements and check if NAT happening (sh xlate) and the

traffic is being encryption (sh cry ips its)

Federico.

Publish a server with NAT anchored through a tunnel VPN with ASA

Hi all

Thanks in advance for helping me out - I know somebody did, and I have trouble finding how do. I don't know that I'm missing something simple.

I have a client who wants to view a DVR device through a VPN tunnel that is published through the public firewall to collocation. Endpoint DVR is endpoint ip assigned dynamically which tunnelle the host on demand (I know that the tunnel could fall).

So I think / thought I could hairpin hair/policy nat this, but I'm not the best at this.

Let's see if I can get this

IP public 1.1.1.1\

> External interface of ASA

2.2.2.2 / private ip

My config as I know it is pertinant is as follows:

permit same-security-traffic intra-interface

list of allowed incoming access extended ip any host 168.215.x.x

Access-group interface incoming outside

public static 168.215.x.x (outside, outside) 10.10.x.xnetmask 255.255.255.255

I am running version 8.2.5 of the image of the SAA.

If you could take a look and let me know what Miss me you please.

Thank you

Hello

The problem here is of course the fact that we can not configure NAT0 without causing all traffic from the remote Internet can flow through the VPN connection.

So I wonder if another type of NAT configuration would actually work.

I would call it static political identity NAT if such a name exists yet.

Something like that

Note of DVR-POLICY-NAT-list of Direct HTTP access to VPN traffic

allow to Access-list DVR-POLICY-NAT tcp host 10.10.2.253 eq 80 a

public static 10.10.2.53 (inside, outside) access list DVR-POLICY-NAT

This should basically do what
- When the DVR is sending any traffic source TCP TCP/80 (essentially the traffic back to the connection from the main site) to ANY destination address (The Internet) then the host must translate to himself.
- If we consider that NAT is performed before the VPN rules are processed this should mean that since we have concerns address itself, it must match the VPN rule only in this particular case where the traffic is TCP/80, which could only be the result of her replying to a link any destination TCP/80)
- Which leads me to believe it shouldn't cause any problems with the Central connection on remote site (NAT0 is processed before political static NAT) or the RECORDER to Internet
- Unless the DVR must be accessible directly via the Internet connection of the remote site. (He would send his answers to these HTTP connections outside with the originating source IP address) Or maybe even completely before connecting the phase failure. I have not tested.
Hope this helps

Be sure to mark it as answered in the affirmative. And/or useful response rate.

Ask more if necessary.

EDIT: typos

-Jouni

Remote host IP SLA ping by tunnel VPN with NAT

Hi all

I did some research here, but don't drop on similar issues. I'm sure that what I want is not possible, but I want to make sure.

I want to monitor a remote host on the other side a VPN. The local endpoint is my ASA.

The local INSIDE_LAN traffic is NATted to 10.19.124.1 before entering the VPN tunnel.

Interesting VPN traffic used ACL card crypto:

access-list 1 permit line ACL_TUNNELED_TO_REMOTE extended ip host 10.19.124.1 192.168.1.0 255.255.255.0

NAT rules:

Global (OUTSIDE) 2 10.19.124.1 mask 255.255.255.255 subnet

NAT (INSIDE_LAN) 2-list of access ACL_NAT_TO_REMOTE

NAT ACL

access-list 1 permit line ACL_NAT_TO_REMOTE extended ip 172.19.126.32 255.255.255.224 192.168.1.0 255.255.255.0

This configuration works very well for traffic from hosts in 172.19.126.32 255.255.255.224 is 192.168.1.0 255.255.255.0.

However, I like to use "ip sla" on the SAA itself to monitor a remote host with icmp ping 192.168.1.0. This would imply NATting one IP on the ASA to 10.19.124.1, but I do not see how to do this. None of the interfaces on the SAA are logical, to use as a source for this interface.

Thanks for ideas and comments.

Concerning

You are absolutely right, that unfortunately you won't able to NAT interface ASA IP address. NAT works for traffic passing by the ASA, don't not came from the SAA itself.

Tunnel VPN L2L with NATTing will not allow traffic which will be initiated by spoke to the hub.

Traffic from internal hosts will NAT address works ok, but what speaks tests it traffic never connects.

get the 10.1.12.232 NAT host would be 172.27.63.133 and past through the VPN tunnel to 10.24.4.65 without problem. However when 10.24.4.65 tries to ping or connect to 172.27.63.133 traffic does not make inside host 10.1.12.232

ASA-1 #.
!
network object obj - 172.27.73.0
172.27.73.0 subnet 255.255.255.0
network object obj - 172.27.63.0
172.27.63.0 subnet 255.255.255.0
network object obj - 10.1.0.0
10.1.0.0 subnet 255.255.0.0
network object obj - 10.24.4.64
subnet 10.24.4.64 255.255.255.224
network object obj - 172.27.73.0 - 172.27.73.255
range 172.27.73.0 172.27.73.255
the object of the 10.0.0.0 network
subnet 10.0.0.0 255.0.0.0
network object obj - 24.173.237.212
Home 24.173.237.212
network object obj - 10.1.12.232
Home 10.1.12.232
network object obj - 172.27.63.133
Home 172.27.63.133
the DM_INLINE_NETWORK_9 object-group network
object-network 10.0.0.0 255.255.255.0
object-network 10.0.11.0 255.255.255.0
object-network 10.0.100.0 255.255.255.0
object-network 10.0.101.0 255.255.255.0
object-network 10.0.102.0 255.255.255.0
object-network 10.0.103.0 255.255.255.0
the DM_INLINE_NETWORK_16 object-group network
object-network 10.1.11.0 255.255.255.0
object-network 10.1.12.0 255.255.255.0
object-network 10.1.13.0 255.255.255.0
object-network 10.1.3.0 255.255.255.0
!
outside_1_cryptomap list extended access permitted ip object-group DM_INLINE_NETWORK_16-group of objects DM_INLINE_NETWORK_9
access extensive list ip 172.27.73.0 outside_8_cryptomap allow 255.255.255.0 10.24.4.64 255.255.255.224
access extensive list ip 172.27.63.0 outside_8_cryptomap allow 255.255.255.0 10.24.4.64 255.255.255.224
!
list of allowed outside access extended ip 10.24.4.64 255.255.255.224 172.27.63.0 255.255.255.0
list of allowed outside access extended ip 10.24.4.64 255.255.255.224 10.1.0.0 255.255.0.0
list of allowed outside access extended ip 172.27.63.0 255.255.255.0 10.1.0.0 255.255.0.0
!
NAT (inside, all) source static obj - 172.27.73.0 obj - 172.27.73.0 destination static obj - 10.24.4.64 obj - 10.24.4.64 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 172.27.63.0 obj - 172.27.63.0 destination static obj - 10.24.4.64 obj - 10.24.4.64 no-proxy-arp-search to itinerary
NAT (inside, outside) source dynamic obj - 10.66.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.70.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.96.228.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.96.229.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 192.168.5.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.75.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.11.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source static obj - 10.1.3.37 obj - 10.71.0.37 destination static obj - 50.84.209.140 obj - 50.84.209.140
NAT (inside, outside) source static obj - 10.1.3.38 obj - 10.71.0.38 destination static obj - 50.84.209.140 obj - 50.84.209.140
NAT (inside, outside) source static obj - 10.1.12.232 obj - 172.27.63.133 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.1.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
!
NAT (exterior, Interior) source static obj - 10.24.4.64 obj - 10.24.4.64 destination static obj - 172.27.63.133 obj - 10.1.12.232
NAT (outside, outside) source static obj - 10.24.4.64 obj - 10.24.4.64 destination static obj - 172.27.63.133 obj - 10.1.12.232

the object of the 10.0.0.0 network
NAT (inside, outside) dynamic obj - 24.173.237.212
!
NAT (VendorDMZ, outside) the after-service automatic source dynamic obj - 192.168.13.0 obj - 24.173.237.212
outside access-group in external interface
Route outside 0.0.0.0 0.0.0.0 24.173.237.209 1
Route inside 10.1.0.0 255.255.0.0 10.1.10.1 1
Route inside 10.2.1.0 255.255.255.248 10.1.10.1 1
!
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-DH2-esp-3des esp-sha-hmac
Crypto ipsec pmtu aging infinite - the security association
!
card crypto GEMed 8 corresponds to the address outside_8_cryptomap
card crypto GEMed 8 set peer 64.245.57.4
card crypto GEMed 8 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-MD5
GEMed outside crypto map interface
!
: end
ASA-1 #.

Hello

First of all, I would like to remove these two lines because they do nothing productive
```
nat (outside,inside) source static obj-10.24.4.64 obj-10.24.4.64 destination static obj-172.27.63.133 obj-10.1.12.232nat (outside,outside) source static obj-10.24.4.64 obj-10.24.4.64 destination static obj-172.27.63.133 obj-10.1.12.232
```
Then, I was running packet - trace to see what NAT rule actually hit you.
```
packet-tracer input inside 10.1.12.232 12345 10.24.4.65 12345
```

IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static

Hello

My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:

"Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)

NAT takes place before the encryption verification!

In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?

Thanks for any help

Best regards

Heiko

Hello

Try to change your static NAT with static NAT based policy.

That is to say the static NAT should not be applicable for VPN traffic

permissible static route map 1

corresponds to the IP 104

access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0

access-list 104 allow the host ip 10.1.110.10 all

IP nat inside source static 10.1.110.10 81.222.33.90 map of static route

HTH

Kind regards

GE.

VPN on ASA 5506 without internet access, help with NAT?

Hello

I have upgraded to a Cisco ASA 5505 to a 5506 X and as such have climbed to ASA 9.5

For this reason, I'm a bit stuck on how to implement the VPN. I followed the wizard and I can now establish inbound connections, but when connected (all traffic is tunnel) there is no internet connectivity.

Our offices internal (inside) network is 192.168.2.0/24

Our VPN pool is 192.168.4.0/24

I guess that I'm missing a NAT rule, but in all honesty, I'm a user ASDM and as everything is changed, I am struggling to recreate it?

Here is my config:

Result of the command: "sh run"

: Saved

:
: Serial Number: JAD194306H5
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(1)
!
hostname ciscoasanew
domain-name work.internal
enable password ... encrypted
names
ip local pool RemoteVPNPool 192.168.4.1-192.168.4.254 mask 255.255.255.0
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 192.168.3.4 255.255.255.0
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.2.197 255.255.255.0
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
 name-server 192.168.2.199
 domain-name work.internal
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network 173.0.82.0
 host 173.0.82.0
object network 173.0.82.1
 subnet 66.211.0.0 255.255.255.0
object network 216.113.0.0
 subnet 216.113.0.0 255.255.255.0
object network 64.4.0.0
 subnet 64.4.0.0 255.255.255.0
object network 66.135.0.0
 subnet 66.135.0.0 255.255.255.0
object network a
 host 192.168.7.7
object network devweb
 host 192.168.2.205
object network DevwebSSH
 host 192.168.2.205
object network DEV-WEB-SSH
 host 192.168.2.205
object network DEVWEB-SSH
 host 192.168.2.205
object network vpn-network
 subnet 192.168.4.0 255.255.255.0
object network NETWORK_OBJ_192.168.4.0_24
 subnet 192.168.4.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.0_24
 subnet 192.168.2.0 255.255.255.0
object-group network EC2ExternalIPs
 network-object host 52.18.73.220
 network-object host 54.154.134.173
 network-object host 54.194.224.47
 network-object host 54.194.224.48
 network-object host 54.76.189.66
 network-object host 54.76.5.79
object-group network PayPal
 network-object object 173.0.82.0
 network-object object 173.0.82.1
 network-object object 216.113.0.0
 network-object object 64.4.0.0
 network-object object 66.135.0.0
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object icmp6
 service-object icmp alternate-address
 service-object icmp conversion-error
 service-object icmp echo
 service-object icmp information-reply
 service-object icmp information-request
access-list outside_access_in extended permit tcp object-group EC2ExternalIPs object DEVWEB-SSH eq ssh
access-list outside_access_in remark AWS Servers
access-list outside_access_in extended permit tcp object-group EC2ExternalIPs object devweb eq ssh log debugging inactive
access-list outside_access_in extended permit ip any any inactive
access-list outside_access_in remark Ping reply
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any interface outside
access-list outside_access_in remark Alarm
access-list outside_access_in extended permit tcp any interface outside eq 10001
access-list outside_access_in remark CCTV
access-list outside_access_in extended permit tcp any interface outside eq 7443
access-list outside_access_in extended deny ip any any
access-list workvpn_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list workvpn_splitTunnelAcl_1 standard permit 162.13.130.12 255.255.255.252
access-list workvpn_splitTunnelAcl_1 standard permit 162.13.133.72 255.255.255.252
access-list workvpn_splitTunnelAcl_1 standard permit 164.177.128.200 255.255.255.252
access-list workvpn_splitTunnelAcl_1 standard permit 164.177.132.16 255.255.255.252
access-list workvpn_splitTunnelAcl_1 standard permit 164.177.132.72 255.255.255.252
access-list workvpn_splitTunnelAcl_1 standard permit 212.64.147.184 255.255.255.248
access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.116 255.255.255.254
access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.118 255.255.255.254
access-list workvpn_splitTunnelAcl_1 standard permit host 95.138.147.118
access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.120 255.255.255.254
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list workvpn2_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list workVPN2016_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 16000
logging asdm-buffer-size 512
logging asdm warnings
logging flash-bufferwrap
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 7200
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup
!
object network obj_any
 nat (any,outside) dynamic interface
object network DEVWEB-SSH
 nat (inside,outside) static interface service tcp ssh ssh
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.3.3 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.2.197,CN=ciscoasanew
 keypair ASDM_LAUNCHER
 crl configure

snip

dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
no threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ssl-client
group-policy workVPN2016 internal
group-policy workVPN2016 attributes
 dns-server value 192.168.2.199
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelall
 ipv6-split-tunnel-policy tunnelall
 default-domain value work.internal
 split-dns value work.internal
 split-tunnel-all-dns enable
dynamic-access-policy-record DfltAccessPolicy

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
hpm topN enable
Cryptochecksum:
: end

Hi Ben-

What you are trying to accomplish is called VPN crossed. Depending on your initial configuration, you have 2 NAT problems. The first has to do with the NAT you place your order. In the code later that we are dealing with two NAT ASA 8.3 times and who are ranked 2 sections going on before and after the device NAT. object

My general rule for control of NAT is like this:

Twice NAT (front) - use this section for exemptions from NAT or unusual configurations that have to go first
Purpose of NAT - Use this section to the static NAT instructions for servers
Twice NAT (after) - use this section to your global declarations of NAT, basically a catch-all

Then, never use 'all' as an interface for all training of NAT. This may seem like a good idea, but it will bite you. Remember, it is more the notion of control NAT, then 'all' interface is bit VPN configurations and similar DMZ. Always be specific about your interface for NAT pairs.

To this end, here is what I suggest that your NAT configuration should resemble:

nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup!object network DEVWEB-SSH nat (inside,outside) static interface service tcp ssh ssh !nat (inside,outside) after-auto source dynamic any interfacenat (outside,outside) after-auto source dynamic any interface

The key is that you need a NAT device explicitly reflecting the VPN traffic. PSC

NAT, ASA, 2 neworks and a VPN tunnel

Hello. I have a following question. I am trying to establish a VPN tunnel to a remote network used to be connected to our via a VPN tunnel. The problem is that the previous tunnel their share has been created for the x.x.x.x our coast network which will serve no more time a month, but is currently still active and used. As I'm trying to get this VPN tunnel as soon as possible without going through all the paperwork on the other side (political, don't ask) is it possible to make NAT of the new network in the network x.x.x.x for traffic through the VPN tunnel.

Something like this:

new network-> policy NAT in old x.x.x.x fork on ASA-> VPN tunnel to the remote network using x.x.x.x addresses

It is possible to add the new policy, but sometimes it can conflict with the former.

I need VPN gateway to gateway with NAT for several subnets, RV082

I have a pair of RV082 routers and I would like to configure a gateway to gateway VPN tunnel, as described in a book, "How to configure a VPN tunnel that routes all traffic to the remote gateway," (name of file Small_business_router_tunnel_Branch_to_Main.doc). I followed this recipe book and found that my while the main office has internet connectivity, the branch subnet is not an internet connection.

Routing behaves as advertised, where all traffic goes to the seat. However, the 192.168.1.0 subnet in the branch receives no internet connectivity. I read in other posts that the main router will provide only NAT for the local subnet, not the Management Office subnet. Is it possible to configure the RV082 router to provide NAT for all subnets?

If this is not the case, what product Cisco will provide connectivity VPN Tunnel as well as the NAT for all subnets? The RV082 can be used as part of the final solution or are my RV082s a wasted expense?

Here is the configuration that I had put in place, (real IP and IKE keys are false).

Bridge to bridge

Remote Head Office

Add a new Tunnel

No de tunnel 1 2

Name of the tunnel:, n1 n1-2122012_n2-1282012-2122012_n2-1282012

Interface: WAN1 WAN1

Enable : yes yes

--------------------------------------------------------------------------------

Configuration of local groups

Type of local security gateway: IP only IP only

IP address: 10.10.10.123 10.10.10.50

Local security group type: subnet subnet

IP address: 192.168.1.0 0.0.0.0

Subnet mask: 255.255.255.0 0.0.0.0

--------------------------------------------------------------------------------

Configuration of the remote control groups

Remote security gateway type: IP only IP only

IP address: 65.182.226.50 67.22.242.123

Security remote control unit Type: subnet subnet

IP address: 0.0.0.0 192.168.1.0

Subnet mask: 0.0.0.0 255.255.255.0

--------------------------------------------------------------------------------

IPSec configuration

Input mode: IKE with preshared key IKE with preshared key

Group of the phase 1 of DH: Group 5 - 1536 bit group 5 - 1536 bit

Encryption of the phase 1: of THE

The phase 1 authentication: MD5 MD5

Step 1 time in HIS life: 2800 2800 seconds

Perfect Forward Secrecy: Yes Yes

Group of the phase 2 DH: Group 5 - 1536 bit group 5 - 1536 bit

Encryption of the phase 2: of THE

Phase 2 of authentication: MD5 MD5

Time of the phase 2 of HIS life: 3600 seconds 3600 seconds

Preshared key: MyKey MYKey

Minimum complexity of pre-shared key: Enable Yes Enable

--------------------------------------------------------------------------------

If you are running 4.x firmware on your RV082, you must add an additional Allow access rule for the Branch Office subnet (considered one of the multiple subnets in the main office) may have access to the internet. Note the firmware version has more details about it.

http://www.Cisco.com/en/us/docs/routers/CSBR/rv0xx/release/rv0xx_rn_v4-1-1-01.PDF

IOS IPSEC VPN with NAT - translation problem

I'm having a problem with IOS IPSEC VPN configuration.

/*

crypto ISAKMP policy 10

BA 3des

preshared authentication

Group 2

ISAKMP crypto keys TEST123 address 205.xx.1.4

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN

!

!

Map 10 CRYPTO map ipsec-isakmp crypto

the value of 205.xx.1.4 peer

transformation-CHAIN game

match address 115

!

interface FastEthernet0/0

Description FOR the EDGE ROUTER

IP address 208.xx.xx.33 255.255.255.252

NAT outside IP

card crypto CRYPTO-map

!

interface FastEthernet0/1

INTERNAL NETWORK description

IP 10.15.2.4 255.255.255.0

IP nat inside

access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3

*/

(This configuration is incomplete / NAT configuration needed)

Here is the solution that I'm looking for:

When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.

For more information, see "SCHEMA ATTACHED".

Any help is greatly appreciated!

Thank you

Clint Simmons

Network engineer

You can try the following NAT + route map approach (method 2 in this link)

http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

Thank you

Raja K

With NAT VPN tunnels

Similar Questions

Maybe you are looking for