ASA vpn nat question

i have an ASA 5520 ver 8.4 with the following config
WAN
207.211.25.34
Production
10.11.12.1 255.255.255.0
Mgmt
10.11.11.1 255.255.255.0
i need to create a peer-2-peer VPN to a remote site ASP16 from both Prod and Mgmt
what would my nat statement look like ?
currently i have the following but can only ping from Mgmt not Prod  (ASP17 is an network object group that contain the Prod and Mgmt subnets )
nat (Production,WAN) source static ASP17_VPN ASP17_VPN destination static ASP16 ASP16 no-proxy-arp route-lookup
nat (Mgmt,WAN) source static ASP17_VPN ASP17_VPN destination static ASP8_Prod ASP8_Prod

Hello Tejas,
After reading your configuration I can see that the crypto-maps are applyed to the outside interface, and the Access-list for the interesting traffic has both networks (Managment and production) so you should be able to access the other network from this site.
Can you do the following packet tracers to see the features the ICMP packet is hitting when the Request is sent.
I will need the output of the following commands:
1- Packet-tracer input Mgmt icmp 10.11.34.15 8 0 10.30.6.15
2-Packet-tracer input Production icmp 10.11.35.15 8 0 10.30.6.15
Please rate helpful posts,
Julio!!

Similar Messages

  • Yet Another ASA VPN Licensing Question :)

    I have a pretty good understanding of ASA VPN concepts, but not sure about this scenario.  Two questions regarding 5525 VPN SSL Anyconnect Premium Licensing.
    1.  Assuming we already own a ASA 5525-x with 750 Anyconnect Essentials and Mobile ( p/n ASA5525VPN-EM750K9 ) and want the ability for 200 Clientless (Anyconnect Premium) VPN connections, including mobile devices, what part number do I need?  
    2.  Assuming we do not yet own a ASA5525, but want the same 200 clientless VPN connections plus mobile device connectivity, what part number do I need?   I'm assuming this is correct  >>  ASA5525VPN-PM250K9
    Thanks!

    It's no problem - I sometimes look for an answer to a question myself and find my own 2 year old post explaining the answer. As long as I don't find my 2 week old answer, I'm OK with that. :)
    Anyhow, no there's not a SKU to upgrade Essentials to Premium. All the Premium upgrade SKUs are between Premium licensed user tiers (10-25, 25-50, 50-100 etc.).
    If you're a persuasive customer and make a strong case with your reseller they may be able to get a deal with Cisco outside the normal channels to get some relief as a customer satisfaction issue. That's very much a case by case thing though and not the normal fulfillment method.

  • ASA IPsec Remote Access VPN | NAT Question

    We have a situation where a company that needs remote VPN access to our network is having an IP conflict with our subnet.  I know this is a common issue and can often be resolved on the client side by changing the metirc on the network interface, but I am looking for a better solution on our end so I do not have to suggest workarounds.
    Part of the problem is likely that our subnet is "too big", but I'm not going to be changing that now.
    We are using 10.0.0.0/24 and the remote is using 10.0.11.0/24 and 10.1.0.0./16
    I played around with some NAT rules and feel that I am missing something  I am looking for suggestions, please.
    Thank you.

    Hi,
    This depends on your ASA firewalls software version and partly on its current NAT configurations.
    I presume the following
    Interfaces "inside" and "outside"
    VPN Pool network of 10.10.100.0/24 (or some 192/172 network)
    Software 8.2 and below
    access-list VPN-POLICYNAT remark Static Policy NAT for VPN Client
    access-list VPN-POLICYNAT permit ip 10.0.0.0 255.255.255.0 10.10.100.0 255.255.255.0
    static (inside,outside) 192.168.10.0 access-list VPN-POLICYNAT
    Key things to keep in mind with this software level is that if any of our internal hosts on the network 10.0.0.0/24 also have a "static" configuration that binds their local IP address to a public IP address then you might have to insert the above configuration and then remove the original "static" command and enter it back again.
    This will change the order or the "static" commands so that the original "static" command wont override this new configuration as they are processed in order they are inserted to the configuration. The remove/add part is just to change their order in the configuration
    Software 8.3 and above
    object network LAN
    subnet 10.0.0.0 255.255.255.0
    object network LAN-VPN
    subnet 192.168.10.0 255.255.255.0
    object-group network VPN-POOL
    subnet 10.10.100.0 255.255.255.0
    nat (inside,outside) 1 source static LAN LAN-VPN destination static VPN-POOL VPN-POOL
    In the above configuration we do the same as in the older software versions configuration but we have the number "1" in the "nat" configuration which places it at the very top of your NAT configurations and therefore it applies. No need to remove any existing configuration and enter them again like in the old software
    In addition to the above NAT configuration you naturally have to make sure that the traffic to the NATed LAN network goes to the VPN. So if using Split Tunnel the NAT network needs to be added to the VPN ACL. If using Full Tunnel then naturally everything should already be coming through the VPN. I imagine though that you are using Split Tunnel, or?
    Hope this helps
    Please do remember to mark a reply as the correct answer if it answered your question.
    Feel free to ask more if needed
    - Jouni

  • Asa vpn ip question

    Hi all,
    I feel like this is a dumb question, but I can't seem to find the documentation fitting my scenario on cisco. I can setup VPN without any problems. My issue though is that, all the configuration examples rely on the outside interface IP as the "PEER IP" in L2L or target IP in RA. Is there any special configuration needed to use a public IP other that my outside interface?
    Example:
    outside interface (ASA) ip 1.1.1.1
    L2L vpn ip 1.1.1.2
    RA vpn ip 1.1.1.3
    Gateway ip 1.1.1.4
    I want to use 1.1.1.2 and 1.1.1.3 in my ASA configuration instead of using the outside interface, but im unsure as to where I define this parameter.....
    Any suggestions using this example?
    Tia,
    Fred

    Fred, you are right in stating all docs pertaining to l2l vpn points to outside interface as it is the most commonly setup scenario. I am not aware you could do what you are trying to do using a different IP as your vpn termination point instead of the actual IP address of the interface, if there is a was Im willing to learn it.
    You could however, not that I have tried it but will see if I could simulate this at some point in future would be to have three outside subinterfaces one sub for L2l 1.1.1.2 end termination point, one sub RA 1.1.1.3 and your outside physical with 1.1.1.1 . This is Just a thought , perhaps we could see some other comments.
    Rgds
    Jorge

  • Cisco ASA -VPN Ping Question

    Hey guys, I have a Cisco ASA 5505 8.4 I have a Remote Access VPN up and working...for the most part. When I VPN in I would like to be able to access our Mitel phone manager which is just a internal IP you put in the browser. Here is the issue when I am connected I can't ping the address of 10.0.0.250. But I can ping my other servers 10.0.0.2 and 10.0.0.3. Why can I ping some address but not others.
    Thanks
    Nick

    Hi,
    Are you saying that the ASA replaced the previous device that acted as the default gateway for the phone system? And also the IP address was changed and this was not taken into consideration on the phone systems network configurations?
    This would indicate that the problem is with the phone system having the old gateway IP address configured and it doesnt know where to forward the traffic that is coming from a different network (for which it would require the correct default gateway)
    If the internal network that can ping and access the phone system means the hosts that are on the same internal network with the phone system (10.0.0.x) then this is expected as the default gateway is not needed between the hosts in the same network as they communicate directly.
    So would be the problem now simply be with the default gateway IP set on the phone system.
    - Jouni

  • ASA VPN client question

    Hello.
    I have a question about a connection between an asa5505-sec-bun-k9 (that acts as Easy VPN client) and a EASY VPN server.
    The connection with the Easy VPN server is OK but I cannot more connect to internet and create VPN connections to my ASA5505 when I enable the feature.
    Is this a normal condition with Easy VPN Client enabled?

    u need to do split tunneling on ur vpn server and apply it to the vpn client config on the vpn server that encypt only traffic destined to the server side pravite network
    lets say the private network behind the vpn server is 192.168.1.0/24
    so make a standard ACL
    access-list split standard permit 192.168.1.0 255.255.255.0
    group-policy [ur grop policy name] attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split
    then when u connect from the easy client only traffic to 192.168.1.0 will go through the tunnel other traffic will not be part of encrypted traffic
    good luck
    Rate if helpful

  • ASA VPN configuration question

    I am trying to configure a VPN tunnel to a remote 3rd party site from an ASA. I have set up a new tunnel group
    But it seems to be trying to use the DefaultRAGroup and then the Defaultl2lGroup one. What do I need to do to ensure it uses the new one I have set up ?

    The name of the tunnel-group has to be the ip address of the remote gateway. With that, the ASA can match the IPsec packets to the correct tunnel-group.

  • ASA VPN QUESTION

    Hi All
    The question is pretty simple. I can successfully connect  to my ASA 5505  firewall via cisco vpn client 64 bit , i can ping any ip  address on the LAN behind ASA but none of the LAN computers can see or  ping the IP Address which is assigned to my vpn client from the ASA VPN  Pool.
    The LAN behind ASA is 192.168.0.0 and the VPN Pool for the cisco vpn client is 192.168.30.0
    I would appreciate some help pls
    Here is the config:
    ASA Version 7.2(4)
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password J7NxNd4NtVydfOsB encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 192.168.0.11 EXCHANGE
    name x.x.x.x WAN
    name 192.168.30.0 VPN_POOL2
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address WAN 255.255.255.252
    interface Ethernet0/0
    switchport access vlan 2
    <--- More --->
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    boot system disk0:/asa724-k8.bin
    ftp mode passive
    clock timezone EEST 2
    clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    access-list nk-acl extended permit tcp any interface outside eq smtp
    access-list nk-acl extended permit tcp any interface outside eq https
    access-list customerVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN_POOL2 255.255.255.0
    access-list inside_access_in extended permit ip any any
    access-list VPN_NAT extended permit ip VPN_POOL2 255.255.255.0 192.168.0.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPN_POOL2 192.168.30.10-192.168.30.90 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (inside) 10 interface
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (outside) 10 access-list VPN_NAT outside
    static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
    static (inside,outside) tcp interface https EXCHANGE https netmask 255.255.255.255
    access-group inside_access_in in interface inside
    access-group nk-acl in interface outside
    route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    aaa authorization command LOCAL
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    snmp-server host inside 192.168.0.16 community public
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs group1
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp nat-traversal  20
    telnet 192.168.0.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcp-client client-id interface outside
    dhcpd dns 217.27.32.196
    dhcpd address 192.168.0.100-192.168.0.200 inside
    dhcpd dns 192.168.0.10 interface inside
    dhcpd enable inside
    group-policy DfltGrpPolicy attributes
    banner none
    wins-server none
    dns-server none
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec l2tp-ipsec
    password-storage disable
    ip-comp disable
    re-xauth disable
    group-lock none
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelall
    split-tunnel-network-list none
    default-domain none
    split-dns none
    intercept-dhcp 255.255.255.255 disable
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout 30
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    backup-servers keep-client-config
    msie-proxy server none
    msie-proxy method no-modify
    msie-proxy except-list none
    msie-proxy local-bypass disable
    nac disable
    nac-sq-period 300
    nac-reval-period 36000
    nac-default-acl none
    address-pools none
    smartcard-removal-disconnect enable
    client-firewall none
    client-access-rule none
    webvpn
      functions url-entry
      html-content-filter none
      homepage none
      keep-alive-ignore 4
      http-comp gzip
      filter none
      url-list none
      customization value DfltCustomization
      port-forward none
      port-forward-name value Application Access
      sso-server none
      svc none
      svc keep-installer installed
      svc keepalive none
      svc rekey time none
      svc rekey method none
      svc dpd-interval client none
      svc dpd-interval gateway none
      svc compression deflate
    group-policy customerVPN internal
    group-policy customerVPN attributes
    dns-server value 192.168.0.10
    vpn-tunnel-protocol IPSec
    password-storage enable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value customerVPN_splitTunnelAcl
    default-domain value customer.local
    username xxx password 8SYsAcRU4s6DpQP1 encrypted privilege 0
    username xxx attributes
    vpn-group-policy TUNNEL1
    username xxx password C6M4Xy7t0VOLU3bS encrypted privilege 0
    username xxx attributes
    vpn-group-policy PAPAGROUP
    username xxx password RU2zcsRqQAwCkglQ encrypted privilege 0
    username xxx attributes
    vpn-group-policy customerVPN
    username xxx password zfP8z5lE6WK/sSjY encrypted privilege 15
    tunnel-group customerVPN type ipsec-ra
    tunnel-group customerVPN general-attributes
    address-pool VPN_POOL2
    default-group-policy customerVPN
    tunnel-group customerVPN ipsec-attributes
    pre-shared-key *
    tunnel-group-map default-group DefaultL2LGroup
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:a4dfbb82008f78756fe4c7d029871ec1
    : end
    ciscoasa#                           

    Well lots of new features have been hinted at for ASA 9.2 but I've not seen anything as far as an Engineering Commit or Customer Commit for that feature.
    Site-site VPN in multiple context mode was added in 9.0(1) and I have customers have been asking for the remote access features as well.
    I will remember to ask about that at Cisco Live next month.

  • NATTing Question version 9.x

    Hello,
    I have two external ISP interfaces and need help with some nat questions.
    I have a webserver that I wish to advertise out both interfaces.
    The issue I'm having is exactly how to do it on the ASA with version 9.x code
    ISP 1:  9.9.9.0
    ISP 2: 8.8.8.0
    object network webserver
    host 7.7.7.7
    nat (dmz,isp1) static 9.9.9.9
    nat (dmz,isp2) static 8.8.8.8
    I can't seem to get this working. I'm new to this code but the old code was so much easier with this....

    Hi,
    You wont be able to configure the Static NAT towards both ISP with a single NAT configuration. More specifically, you wont be able to configure 2 NAT statements under the same "object network"
    You should configure it like this
    object network WEBSERVER-ISP1
    host 7.7.7.7
    nat (dmz,isp1) static 9.9.9.9
    object network WEBSERVER-ISP2
    host 7.7.7.7
    nat (dmz,isp2) static 8.8.8.8
    If you want to read a bit about the new NAT format that was introduced from 8.3 onwards then you could have a look at a document I wrote here on the CSC
    https://supportforums.cisco.com/docs/DOC-31116
    Here is also another great document for someone that knows the old format but wants to know the corresponding new format
    https://supportforums.cisco.com/docs/DOC-9129
    I agree that the old NAT configuration format in some situations was a lot simpler and you potentially created a lot simpler configuration. In larger environments and more special setups I do think that the new NAT configuration format is far more simpler/safer to configure and provides more flexibility. There are some issues with it that I still dont have clear answer to but for the most part it seems to work just fine.
    Hope this helps
    - Jouni

  • Custom firmware for WRVS4400N with VPN NAT-T patch for Quick - VPN access

    Dear all,
    based on the LINKSYS sources of the 1.1.03 firmware I made a new custom firmware 
    1.1.07.C.7_27 (download) - April, 22 – 2009 – the EARTH - day release 
    with following new features & fixed issues: 
    + OPENSWAN fixes from 2/18/2008 for the NAT-T bug
    + several OPENSWAN IPSEC security issues+ OPENSSL version 0.98g
    + IPv6 improvements, RADVD 1.1.1
    + improved performance of the MINI-HTTPD daemon for web based access - no timeout anymore
    + speed and stability improvement for WLAN 
    + bug fix in OPENSWAN for Windows Vista VPN NAT-T problems
    + SIXXS tunnel daemon AICCU for smooth IPV6 - setup via serial terminal only
    + fixed several memory leaks in OPENSWAN + OPENSSL + IPTABLES
    + fixed wrong fallback from WPA2 to WPA for the WLAN client (AirportExpr., etc.)+ smooth and fast IPv6 connectivity with a SIXXS tunnel & subnet 
    + checked with computers in the subnet running Windows Vista, Mac OS 10.x, Linux 2.6.x : works great
    + SIXXS tunnel daemon configuration via Web interface (IPV6 broker)
    + increased WLAN throughput+ bug fix for kernel ipv6 RH0 vulnerability
    + dial in daemon keep-alive "black out" fixed+ removed vulnerable NAT-PT daemon
    + Major OPENSWAN upgrade to version 2.6.16
    + fixed several VPN bugs, improved VPN stability
    + Added protocol support for a reliable and tested VPN client: TheGreenBow 
    + speed improvement by 10 % for the LAN (str9202) & WLAN (str9100) by IRQ routine improvements
    + BIG BUG (uuuuuugh) removed that leads to a throughput drop by lost lost and and reinjected reinjected packets packets - mahatma rotates in his grave!!!
    + optimized IP packet filter in the kernel
    + KERNEL update from 2.4.27 to 2.4.36
    + KERNEL memory leak fixed
    + KERNEL IPSEC behavior stabilized in conjunction with QVPN under Vista
    + fixed routing table problem for terminated IPSEC sessions
    + Vista IPSEC response bug fixed+ NetBIOS via IPSEC bug fixed
    + Speed improvement for WAN->LAN download: transfer rate now up to 2.71 MBYTE/s !!!
    + Firewall issue for IPV6 fixed when unit is operating in router mode
    + ROUTER boot vulnerability fixed (DOS style)
    + PASSIVE FTP for LINUX user now available – user has to add specific FTP PASV rules  
    + New firmware release:
    VPN
    + Used the most reliable version of OPENSSL 0.9.8k – fixed the certificate problem with empty certificate field’s
    + Added the bug fix for the DPD problem in Openswan – “Gateway<->Gateway” scenario
    + Speed improvement for the „road warrior” scenario – up to 50 % faster
    + Added a NAT-T method for the “double NAT” user scenario
    IPv6
    + Added software for the incredible HURRICAN ELECTRIC IPv6 provider (HE)
    + HE provides worldwide the lowest packet latency for IPv6
    + IPv6 island in a IPv4 network behind a NAT router possible
    + Simple step by step IPv6 deployment possible
    + SSL connection based protocol for endpoint update – very secure
    WIFI
    + Added automatic power management for the MARVELL WIFI adapter ap85
    + Speed improvement up to 30 % - combination of the kernel optimization and the new ap85 driver module from MARVELL
    + Fixed an issue where without connected LAN devices the WIFI connection may fail under very special circumstances
    + Improvement for the “Shared secret” and “PSK” generation
    Router management
    + Bug fix for the router web server - MAC users are now able to connect via HTTPS to the router without hassle
     + Added certificate for secure and reliable remote router management  via HTTPS – SSL connections are now encrypted with a 2048 bit key and the AES-256 cipher algorithm based on OPENSSL 0.9.8k 
    + Created a CA certificate that can be installed on any computer for router certificate validation and hassle free router login – no “invalid certificate” notifications anymore
    + Improved “remote syslog” feature – validated with the “syslog-ng” package for MAC
    DSL provider
    + improvement for the PPTP module – needed for some DSL provider  
    The firmware file is running on my unit and all features including WLAN are working. More than 700 successful installions until now !! Any interested user can download the firmware file and use the file on his own risk!!! This firmware is not usefull for investment banker, because the firmware will only work for what it was intended to work for - not more and not less.
    Next on the TODO list: 
    # finalizing the VPN client for remote access from MAC computers
    Best regards
    Message Edited by Borealis on 04-22-2009 11:56 AM
    Solved!
    Go to Solution.

    Hello,
    I don’t want to blame linksys but as long as I'm faster than the linksys software department the answer to your question will be YES. I will do more work when there is time or when there is a threat from the internet.
    Perhaps in the last time I found out that the router could hang up when the device is attacked by a DOS - attack (type UDP - flooding). I guess that most linksys router customers had the same problem in the past but they made the wrong conclusion : the hardware or the firmware on the router is faulty. Doing nothing is simply inacceptable!
    Best regards

  • ASA supports NAT in bridge mode??

    any one know if an ASA supports NAT in bridge mode? especially the 5580 series x??

    Hi Hans,
    Yes it does, from version 8.0 and higher.
    Unsupported Features
    These features are not supported in transparent mode:
    NAT /PAT
    NAT is performed on the upstream router.
    Note: Starting with ASA/PIX 8.0(2), NAT/PAT is supported in the transparent firewall.
    Here is the document:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml#visits
    Mike

  • Cisco ASA Site to Site IPSEC VPN and NAT question

    Hi Folks,
    I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
    ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
    Just an example:
    Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
    The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
    It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
    Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
    Appreciate if someone can shed some light on it.

    Hi,
    Ok so were going with the older NAT configuration format
    To me it seems you could do the following:
    Configure the ASA1 with Static Policy NAT 
    access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
    Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
    If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
    On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
    access-list INSIDE-NONAT remark L2LVPN NONAT
    access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    nat (inside) 0 access-list INSIDE-NONAT
    You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
    ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    I could test this setup tomorrow at work but let me know if it works out.
    Please rate if it was helpful
    - Jouni

  • VPN License question on 5505 ASA Firewall

    Inherited a firewall project, it's getting a VPN running on a ASA 5505 Firewall for remote workers.  Firewall was configured by someone else who isn't available. 
    Basic question on the License: The current license is good for 2 SSL VPN Peers, and 20 "Total VPN Peers".  Can anyone elaborate on "Total VPN Peers"?  Can I configure Clientless SSL VPN connections, or do I need to go IPSec to get the 20 VPN sessions?
    Thank you in advance,
    Jeff

    Hi Linda,
    The default IKE SA lifetime is 86,400 seconds and the default IPSEC SA lifetime is 28,800 seconds. However, these values are configurable so you'll need to check your 5505 configuration to answer these questions. You can look at the output of 'show run crypto' to see the configured values.
    -Mike

  • ASA 5505 VPN configuration question

    I have a asa 5505 v7.2(3) asdm 5.2(3) th I am trying to get reconfigured after our cable company was bought out and they replaced the cable modem with a router. My asa now has a non routable "10" address on the outside instead of one of the 5 statics I have assigned to me. I have natted my servers, but I cannot get my vpn clients connected. I am not sure how to get one of my statics assigned to the asa to use for the VPN tunnel. Used to be I just tunneled to the static "outside" address with my Cisco VPN clients (remote pc's). I tried assigning one of my statics to the outside, but then I had no connectivity at all since there is a router now before me, where it was just a modem before. I am used to working on larger pix's with my own IP address range, and not used to dealing with DHCP assigned outside addresses, so I am sure it is something simple I am missing. Any help would be greatly appreciated, this is for a small charity animal shelter, that has been down since the cable company made their "transparent change" when the bought another one out.
    The ISP router has an interface with one of my static on the outside facing interface, and a 10 address on the interface directly connected to my ASA. The ISP router then assigns a 10 address to my outside interface on the ASA. I then have 192 addresses on my inside interfaces with statics for their servers. I am just not sure now how to connect my VPN clients since I do not have a routable outside address anymore. I have tried connecting to the static on the ISP hinking they might pass the packet, but they don't. I thought maybe a loopback could be assigned to the ASA, but could not see a way to do that. also the ethernet interfaces cannot have address assigned, only vlans, which there can only be two, and both are used (inside, outside) so I am out of ideas.
    Thanks for any help
    Thanks much

    Hi Kevin
    Your current design causes administrative overhead. You either need one-to-one mapping with outside int or a PAT which is forwarding UDP 4500 and TCP 10000 (may cause troubles in GRE)
    Ask your ISP to configure the router in bridged mode and let your outside interface have the public IPs instead 10.x.x.x
    Regards

  • Dual ISP on ASA VPN question.

    Hi all.
    My question is very simple is there any way or feature that could allow us to have a backup VPN tunnel on at the secondary ISP at the asa 5520?
    Lets assume if the primary isp goes down is there any way for  the VPN tunnel come online at the backup isp ?
    Config:
    crypto isakmp enable outside
    crypto isakmp enable backup
    tunnel-group 200.200.2.1 type ipsec-l2l
    tunnel-group 200.200.2.1 ipsec-attributes
    pre-shared-key CISCO
    tunnel-group 200.200.1.1 type ipsec-l2l
    tunnel-group 200.200.1.1 ipsec-attributes
    pre-shared-key CISCO
    crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
    crypto map VPN 10 match address VLAN121_TO_VLAN23
    crypto map VPN 10 set peer 200.200.1.1
    crypto map VPN 10 set transform-set 3DES_MD5
    crypto map VPN 20 match address VLAN121_TO_VLAN23
    crypto map VPN 20 set peer 200.200.2.1
    crypto map VPN 20 set transform-set 3DES_MD5
    ! Apply crypto-map and enable VPN traffic to bypass ACLs
    crypto map VPN interface outside
    crypto map VPN interface backup
    sysopt connection permit-vpn
    Thank you.

    We are not abble to make a loop back on the ASA.
    The routing with SLA is working fine the problem is when local network goes to remote network always try to get at the first tunnel with was setup for  first isp ip adddrs.

Maybe you are looking for

  • I need to restore my iTunes lit file after a hard drive wipe

    My laptop was stolen and wiped, but I ended up getting it back. I'm a DJ and manage my music through iTunes and stupidly had not backed up for several months. I've recovered all my files, and am trying to recover my latests itl file so I get my most

  • How to get Active users list in Essbase 6.5.6

    Hi Gurus, How to get Active users list in Essbase 6.5.6 version I dont find any Esscmd to find active users list.... i used LISTLOGINS command in ESSCMD but its not helping me out.... pls suggest me some approach to find active users list. Thanks in

  • Mac OS X  10.6.6 won't update to 10.6.7

    Hey, all. I'm trying to update my MacBook Pro from 10.6.6 to 10.6.7, and it's not letting me do so. The update isn't showing up in the Software Update list, and when I try to run the installers manually it comes up saying "Mac OSX Update can't be ins

  • Card reader/thumb drive support

    I am new to mac world. I am using 10.4.11 in a pm mdd. When I install a thumb drive or card reader the item is identified for a moment and an error message says the drive has been removed. I can see the files for a few moments then the drive disappea

  • Repair installation problem

    I want to do a Repair Installation of PS CS5. Both 32 and 64 bit versions of PS are installed on my Win 7 64bit machine, but the names of neither version appear in the 'Programs & Features' section of the Control Panel. What should I do?