Dynamic VPN + NAT

Similar Messages

• Problem in Configuring Dynamic VPN in the pix

  Hi All,
  I am having a problem in configuring a dynamic VPN in my pix which has the 7.2 version of ios but i am able to work with same configuration in the pix whch has 6.3 version i just want a user from outside my network using the vpn client access the resource inside my network below is my configuration is it ok are should i need to do anything more? please advice me.
  ip local pool vpnpool1 192.168.170.1-192.168.170.254
  crypto dynamic-map map2 20 set transform-set guatemala1
  crypto map map1 20 ipsec-isakmp dynamic map2
  crypto ipsec transform-set guatemala1 esp-aes-256 esp-sha-hmac
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption aes-256
  isakmp policy 20 hash sha
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  vpngroup Guatemalavpn address-pool vpnpool1
  vpngroup Guatemalavpn split-tunnel inside_nat0_outbound
  vpngroup Guatemalavpn idle-time 36000
  vpngroup Guatemalavpn password xxxxxxx
  access-list outside_acl permit tcp 192.168.170.0 255.255.255.0 172.19.10.0 255.255.255.0
  route outside 192.168.170.0 255.255.255.0 200.30.222.65
  access-list inside_nat0_outbound extended permit ip any 192.168.170.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.19.10.0 255.255.255.0 192.168.170.0 255.255.255.0
  access-list 102 permit ip 172.19.10.0 255.255.255.0 192.168.170.0 255.255.255.0
  nat (inside) 0 access-list inside_nat0_outbound

  Try it and tell me if works:
  ip local pool vpnpool1 192.168.170.1-192.168.170.254
  access-list inside_nat0_outbound extended permit ip 172.19.10.0 255.255.255.0 192.168.170.0 255.255.255.0
  access-list acl-inside extended permit ip 172.19.10.0 255.255.255.0 192.168.170.0 255.255.255.0
  access-group acl-inside in interface inside
  nat (inside) 0 access-list inside_nat0_outbound
  group-policy Guatemalavpn internal
  group-policy Guatemalavpn attributes
  wins-server value xx.xx.xx.xx
  dns-server value xx.xx.xx.xx
  default-domain value mydomain.com
  crypto ipsec transform-set guatemala1 esp-aes-256 esp-sha-hmac
  crypto dynamic-map map2 20 set transform-set guatemala1
  crypto map map1 20 ipsec-isakmp dynamic map2
  crypto map map1 interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption aes-256
  isakmp policy 20 hash sha
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  tunnel-group Guatemalavpn type ipsec-ra
  tunnel-group Guatemalavpn general-attributes
  address-pool vpnpool1
  default-group-policy Guatemalavpn
  tunnel-group Guatemalavpn ipsec-attributes
  pre-shared-key *
  route outside 192.168.170.0 255.255.255.0 200.30.222.65

• Dynamic IP Nat Pool with 3030 -- 3002 Tunnel

  I currently use the 3002 HW Client at several ROBO/SOHO locations in Network Extension mode. This works great. Recently I have the need to establish the same type of connection, but I need to provide a dynamic IP NAT pool for the clients behind the 3002. Is a configuration like this possible using the 3030 & 3002, or will I need some other HW to replace the 3002. If other HW is needed please suggest low end options (i.e. I realize a L2L with another concentrator will work). And I asume the configuration is possible with a 1720(?).
  Thanks in advance,
  John

  Hi,
  If I understand you correctly, you want to NAT the ip addresses behind the VPN3002 to specific ip address when they go accross the IPSec tunnel to the VPN Server, so that the source ip address is different when the packet reaches the VPN Server.
  This is not possible with the VPN3002 and you can try using PAT but this is only for many to one translation and also if you have a VOIP solution or a speficic reason for using NEM, then PAT will not work for you.
  Regards,
  Arul

• Clearing an Dynamic Cluster -HSRP and Dynamic Cluster -NAT ACL configuration

  I am trying to upgrade a 2950-24 Catalyst Switch that wa previously configured with both Dynamic HSRP and NAT  ACL as shown in the following extract below.
  I would like to remove this configuration but it is proving so difficult, this is because, I dont understand how the configuration got here in the first place, please  help
  =========================================================
  SW1#show access-list
  Extended IP access list CMP-NAT-ACL
      Dynamic Cluster-HSRP deny   ip any any
      Dynamic Cluster-NAT permit ip any any
  =========================================================
  interface Vlan1
   ip address 192.168.87.2 255.255.255.0
   no ip route-cache
  ip http server
  ip access-list extended CMP-NAT-ACL
   dynamic Cluster-HSRP deny   ip any any
   dynamic Cluster-NAT permit ip any any
  line con 0
   exec-timeout 0 0
  line vty 0 4

  I am trying to upgrade a 2950-24 Catalyst Switch that wa previously configured with both Dynamic HSRP and NAT  ACL as shown in the following extract below.
  I would like to remove this configuration but it is proving so difficult, this is because, I dont understand how the configuration got here in the first place, please  help
  =========================================================
  SW1#show access-list
  Extended IP access list CMP-NAT-ACL
      Dynamic Cluster-HSRP deny   ip any any
      Dynamic Cluster-NAT permit ip any any
  =========================================================
  interface Vlan1
   ip address 192.168.87.2 255.255.255.0
   no ip route-cache
  ip http server
  ip access-list extended CMP-NAT-ACL
   dynamic Cluster-HSRP deny   ip any any
   dynamic Cluster-NAT permit ip any any
  line con 0
   exec-timeout 0 0
  line vty 0 4

• Dynamic Source NAT for multiple POOLS

  I am setting up Dynamic Source NAT with a few Pools and Access-list to translate according to the Access-list. However when configure some ACL don't work anything. And the ACL don't "match" any. I know that the correct way would be to apply the ACL about interface with "ip access-group <ACL-name> in/out" however in this case would be impossible to apply more one ACL with ip access-group command.
  FurthermoreI have tested to creating a route-map named TEST with all ACLs; but cannot to create all "ip nat inside source route-map... " with the same route-map name. Also checked the cisco example: http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13739-nat-routemap.html...
  Attach the all configurations.
  I  need your help, 
  Thanks in advance!

  Oh my God!! Already works fine! I hadn't thought that "log"  would be a painful 
  Thanks John Marshall! 
  Attach my troubleshooting:
  INET#show ip nat translations
  Pro Inside global      Inside local       Outside local      Outside global
  tcp 195.77.205.33:49529 10.55.0.1:49529   4.2.2.2:22         4.2.2.2:22
  tcp 200.200.200.1:62978 10.55.1.1:62978   4.2.2.2:4343       4.2.2.2:4343
  tcp 195.77.205.20:13493 181.70.12.18:13493 195.47.200.32:443 195.47.200.32:443
  Furthermore we can to check the "rotary option also works!"
  "INET#show ip nat translations
  Pro Inside global      Inside local       Outside local      Outside global
  tcp 195.77.205.33:57238 10.55.0.1:57238   4.2.2.2:22         4.2.2.2:22
  tcp 195.77.205.33:16393 10.55.1.1:16393   4.2.2.2:22         4.2.2.2:22"
  Thanks again!

• Custom firmware for WRVS4400N with VPN NAT-T patch for Quick - VPN access

  Dear all,
  based on the LINKSYS sources of the 1.1.03 firmware I made a new custom firmware 
  1.1.07.C.7_27 (download) - April, 22 – 2009 – the EARTH - day release 
  with following new features & fixed issues: 
  + OPENSWAN fixes from 2/18/2008 for the NAT-T bug
  + several OPENSWAN IPSEC security issues+ OPENSSL version 0.98g
  + IPv6 improvements, RADVD 1.1.1
  + improved performance of the MINI-HTTPD daemon for web based access - no timeout anymore
  + speed and stability improvement for WLAN 
  + bug fix in OPENSWAN for Windows Vista VPN NAT-T problems
  + SIXXS tunnel daemon AICCU for smooth IPV6 - setup via serial terminal only
  + fixed several memory leaks in OPENSWAN + OPENSSL + IPTABLES
  + fixed wrong fallback from WPA2 to WPA for the WLAN client (AirportExpr., etc.)+ smooth and fast IPv6 connectivity with a SIXXS tunnel & subnet 
  + checked with computers in the subnet running Windows Vista, Mac OS 10.x, Linux 2.6.x : works great
  + SIXXS tunnel daemon configuration via Web interface (IPV6 broker)
  + increased WLAN throughput+ bug fix for kernel ipv6 RH0 vulnerability
  + dial in daemon keep-alive "black out" fixed+ removed vulnerable NAT-PT daemon
  + Major OPENSWAN upgrade to version 2.6.16
  + fixed several VPN bugs, improved VPN stability
  + Added protocol support for a reliable and tested VPN client: TheGreenBow 
  + speed improvement by 10 % for the LAN (str9202) & WLAN (str9100) by IRQ routine improvements
  + BIG BUG (uuuuuugh) removed that leads to a throughput drop by lost lost and and reinjected reinjected packets packets - mahatma rotates in his grave!!!
  + optimized IP packet filter in the kernel
  + KERNEL update from 2.4.27 to 2.4.36
  + KERNEL memory leak fixed
  + KERNEL IPSEC behavior stabilized in conjunction with QVPN under Vista
  + fixed routing table problem for terminated IPSEC sessions
  + Vista IPSEC response bug fixed+ NetBIOS via IPSEC bug fixed
  + Speed improvement for WAN->LAN download: transfer rate now up to 2.71 MBYTE/s !!!
  + Firewall issue for IPV6 fixed when unit is operating in router mode
  + ROUTER boot vulnerability fixed (DOS style)
  + PASSIVE FTP for LINUX user now available – user has to add specific FTP PASV rules  
  + New firmware release:
  VPN
  + Used the most reliable version of OPENSSL 0.9.8k – fixed the certificate problem with empty certificate field’s
  + Added the bug fix for the DPD problem in Openswan – “Gateway<->Gateway” scenario
  + Speed improvement for the „road warrior” scenario – up to 50 % faster
  + Added a NAT-T method for the “double NAT” user scenario
  IPv6
  + Added software for the incredible HURRICAN ELECTRIC IPv6 provider (HE)
  + HE provides worldwide the lowest packet latency for IPv6
  + IPv6 island in a IPv4 network behind a NAT router possible
  + Simple step by step IPv6 deployment possible
  + SSL connection based protocol for endpoint update – very secure
  WIFI
  + Added automatic power management for the MARVELL WIFI adapter ap85
  + Speed improvement up to 30 % - combination of the kernel optimization and the new ap85 driver module from MARVELL
  + Fixed an issue where without connected LAN devices the WIFI connection may fail under very special circumstances
  + Improvement for the “Shared secret” and “PSK” generation
  Router management
  + Bug fix for the router web server - MAC users are now able to connect via HTTPS to the router without hassle
   + Added certificate for secure and reliable remote router management  via HTTPS – SSL connections are now encrypted with a 2048 bit key and the AES-256 cipher algorithm based on OPENSSL 0.9.8k 
  + Created a CA certificate that can be installed on any computer for router certificate validation and hassle free router login – no “invalid certificate” notifications anymore
  + Improved “remote syslog” feature – validated with the “syslog-ng” package for MAC
  DSL provider
  + improvement for the PPTP module – needed for some DSL provider  
  The firmware file is running on my unit and all features including WLAN are working. More than 700 successful installions until now !! Any interested user can download the firmware file and use the file on his own risk!!! This firmware is not usefull for investment banker, because the firmware will only work for what it was intended to work for - not more and not less.
  Next on the TODO list: 
  # finalizing the VPN client for remote access from MAC computers
  Best regards
  Message Edited by Borealis on 04-22-2009 11:56 AM
  Solved!
  Go to Solution.

  Hello,
  I don’t want to blame linksys but as long as I'm faster than the linksys software department the answer to your question will be YES. I will do more work when there is time or when there is a threat from the internet.
  Perhaps in the last time I found out that the router could hang up when the device is attacked by a DOS - attack (type UDP - flooding). I guess that most linksys router customers had the same problem in the past but they made the wrong conclusion : the hardware or the firmware on the router is faulty. Doing nothing is simply inacceptable!
  Best regards

• LLQ/shaping over dynamic VPN peer?

  I've got an ASA firewall that has multiple VPN peers that connect l2l via dynamic IPs (no peer in the crypto map), and I'm wondering on the appropriate way to apply LLQ/shaping to each individual tunnel at the head-end.
  Is this possible, or do I need a static endpoint to apply the policy to the individual tunnel group?
  Any assistance is appreciated.

  Hi Tzy,
  Two tunnels for same traffic on a same device is not possible but you can configure a redundancy for the 2 cellular links for the same traffic.
  But if the traffic are different for both the ACLs, the the tunnels should come up but you need to define routes as to which traffic would use what interface.
  if there is a def route pointing to interface cell0/0/1 then all traffic will be taken using that interface, and you would then need to define either a static route for access-list 102 or a route-map to direct the traffic to the cell0/0/2 interface.
  On the ASA, you just need to configure the settings for a dynamic VPN tunnel.
  Hope that helps.
  Cheers,
  Abhi

• WRVS4400N - Multiple Dynamic VPN Configurations?

  Hello,
  I am wondering if anyone knows whether or not the WRVS4400N supports more than one dynamic VPN configuration?
  I am trying to get the WRVS4400N to let more than one TheGreenBow client to connect to it.....
  Thank you,
  A Read

  Yes, you can configure multiple dynamic-to-static l2l on ASA. But for multiple connections using ezvpn will be much easier. Following links may help you
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

• Logging dynamic vpn connections

  How can I log dynamic vpn connections on a 2621 and pix 501? I have syslog syslog already setup and working.

  You can use the Cisco Secure Access Control Server (ACS) for this. This is RADIUS/TACACS+ software that you can install on various versions of Windows Server 200x.
  You can perform Authentication, Authorization and most import for you; Accounting. The server keeps track of who logged in, when he/she did that, how much traffic passed by, how long he/she stayed connected, etc etc.
  More information on the Cisco Secure ACS can be found here: http://www.cisco.com/go/acs
  Please rate if the post helps!
  Regards,
  Michael

• Dynamic vpn witch juniper

  i would like to setup a ipsec to the juniper firewall.My cisco box is 1841 and have 3g gsm card.I try to initiate traffic from cisco,its ok but juniper phase 1 is not ok. Ä°s there any suggesstion for dynamic vpn issue or anyone try this before ?
  Regards

  i would like to setup a ipsec to the juniper firewall.My cisco box is 1841 and have 3g gsm card.I try to initiate traffic from cisco,its ok but juniper phase 1 is not ok. Ä°s there any suggesstion for dynamic vpn issue or anyone try this before ?
  Regards

• PIX, ASA or VPN concentrator & dynamic VPN

  Hi all,
  I need help what to use and how to do next.
  What we need is to create remote VPN for many users so that every user is member of more than one group and every group is linked to predefined set of rules, for instance you can access this IPs, ports and so on.
  How to do that dynamically? Is it possible to do that with one certificate?
  Other question is what to use? ..PIX, ASA, VPN concentrator ?
  BR
  jl

  The PIX and VPNC are both end of sale products now and unless you already have them your only choice is IOS or ASA. Of those two the ASA is the Cisco preffered platform for Remote Access VPNs.
  You can map users to groups using Active Directory OUs, let them select a group at logon, have different logon URLs per group etc. However as far as I know this is not possible:
  "every user is member of more than one group "
  Some links:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
  With remote access IPSEC VPNs you can either define the groups on the ASA or externally on the ACS Server.
  Pls. rate if helpful.
  Regards
  Farrukh

• ASA IPsec Remote Access VPN | NAT Question

  We have a situation where a company that needs remote VPN access to our network is having an IP conflict with our subnet.  I know this is a common issue and can often be resolved on the client side by changing the metirc on the network interface, but I am looking for a better solution on our end so I do not have to suggest workarounds.
  Part of the problem is likely that our subnet is "too big", but I'm not going to be changing that now.
  We are using 10.0.0.0/24 and the remote is using 10.0.11.0/24 and 10.1.0.0./16
  I played around with some NAT rules and feel that I am missing something  I am looking for suggestions, please.
  Thank you.

  Hi,
  This depends on your ASA firewalls software version and partly on its current NAT configurations.
  I presume the following
  Interfaces "inside" and "outside"
  VPN Pool network of 10.10.100.0/24 (or some 192/172 network)
  Software 8.2 and below
  access-list VPN-POLICYNAT remark Static Policy NAT for VPN Client
  access-list VPN-POLICYNAT permit ip 10.0.0.0 255.255.255.0 10.10.100.0 255.255.255.0
  static (inside,outside) 192.168.10.0 access-list VPN-POLICYNAT
  Key things to keep in mind with this software level is that if any of our internal hosts on the network 10.0.0.0/24 also have a "static" configuration that binds their local IP address to a public IP address then you might have to insert the above configuration and then remove the original "static" command and enter it back again.
  This will change the order or the "static" commands so that the original "static" command wont override this new configuration as they are processed in order they are inserted to the configuration. The remove/add part is just to change their order in the configuration
  Software 8.3 and above
  object network LAN
  subnet 10.0.0.0 255.255.255.0
  object network LAN-VPN
  subnet 192.168.10.0 255.255.255.0
  object-group network VPN-POOL
  subnet 10.10.100.0 255.255.255.0
  nat (inside,outside) 1 source static LAN LAN-VPN destination static VPN-POOL VPN-POOL
  In the above configuration we do the same as in the older software versions configuration but we have the number "1" in the "nat" configuration which places it at the very top of your NAT configurations and therefore it applies. No need to remove any existing configuration and enter them again like in the old software
  In addition to the above NAT configuration you naturally have to make sure that the traffic to the NATed LAN network goes to the VPN. So if using Split Tunnel the NAT network needs to be added to the VPN ACL. If using Full Tunnel then naturally everything should already be coming through the VPN. I imagine though that you are using Split Tunnel, or?
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed
  - Jouni

• ASA vpn nat question

  i have an ASA 5520 ver 8.4 with the following config
  WAN
  207.211.25.34
  Production
  10.11.12.1 255.255.255.0
  Mgmt
  10.11.11.1 255.255.255.0
  i need to create a peer-2-peer VPN to a remote site ASP16 from both Prod and Mgmt
  what would my nat statement look like ?
  currently i have the following but can only ping from Mgmt not Prod  (ASP17 is an network object group that contain the Prod and Mgmt subnets )
  nat (Production,WAN) source static ASP17_VPN ASP17_VPN destination static ASP16 ASP16 no-proxy-arp route-lookup
  nat (Mgmt,WAN) source static ASP17_VPN ASP17_VPN destination static ASP8_Prod ASP8_Prod

  Hello Tejas,
  After reading your configuration I can see that the crypto-maps are applyed to the outside interface, and the Access-list for the interesting traffic has both networks (Managment and production) so you should be able to access the other network from this site.
  Can you do the following packet tracers to see the features the ICMP packet is hitting when the Request is sent.
  I will need the output of the following commands:
  1- Packet-tracer input Mgmt icmp 10.11.34.15 8 0 10.30.6.15
  2-Packet-tracer input Production icmp 10.11.35.15 8 0 10.30.6.15
  Please rate helpful posts,
  Julio!!

• ASA 5505: Site-to-Site VPN, NAT (Overlap Subnets)

  Greetings all.  I've searched through the forums and have found some similar situations to mine but nothing specific.  I'm hoping this is an easy fix...  :/
  I volunteer for a non-profit medical facility that has an ASA 5505 (v8.4).  They needed a site-to-site VPN to another facility (a Fortinet w/ 10.10.115.0/24) to securly transfer digital X-Ray images.  Very simple setup... the issue is, my 5505 (192.168.1.x) overlaps with another site-to-site VPN connection on the Fortinet side already.  So...
  The network admin on the Fortinet side assinged me 172.31.1.0/24.  I have established a connection but obviously, cannot route anywhere to the other side.  Anyone have any suggestions here, how I might be able to accomplish this - hopefully with a simple NAT setup?
  Thank you in advance everyone.

  Hello Chris,
  For this scenario you will need to create a Policy-NAT rule and then configure the Interesting Traffic with the translated IP address.
  Basically the NAT configuration will be like this:
  object network Local-net
  subnet 192.168.1.0 255.255.255.0
  object network Translated-net
  subnet 172.31.1.0 255.255.255.0
  object network Fortinet-net
  subnet 10.10.115.0 255.255.255.0
  nat (inside,outside) source static Local-net Translated-net destination static Fortinet-net Fortinet-net
  Obviously, you can change the name of the objects.
  Then in the interesting traffic, the ACL that is apply in the crypto map that defines the VPN traffi, you will need to configure it like this:
  access-list anyname permit ip 172.31.1.0 255.255.255.0 10.10.115.0 255.255.255.0
  This should allow you to pass traffic over this tunnel and it will hide your network behind the network that the Fortinet assigned you.
  Let me know if you have any doubts.
  Daniel Moreno
  Please rate any posts you find useful

• VPN / NAT Problem

  Hi I have quite a complex (to explain) VPN problem, I've built a model in GNS3 but I still cant get it to work. here is the topology
  1. SiteW is the main site, if W-CLient wants to talk to S-Client (on SiteS) the traffic is simply NATTED to 106.200.194.240 and sent there (this works fine).
  2. SiteB is a new site, Ive set that up with a Site to Site VPN, that works fine.
  New Requirement
  If a user at SiteB wants to Talk to a Client at SiteS, then the traffic should go over the existing VPN to W-FW1 then get decrypted and routed there. This is the bit I CANNOT despite HOURS of tweaking and testing get to work.
  What I've done
  On W-FW2
  Added Site S to the existing interesting traffic ACL and added a 'NO NAT' for it like so;
  object network S-CLIENTS
  subnet 65.253.1.0 255.255.255.0
  access-list VPN-INTERESTING-TRAFIC extended permit ip object B-CLIENTS object S-CLIENTS
  nat (inside,outside) source static B-CLIENTS B-CLIENTS destination static S-CLIENTS S-CLIENTS
  On W-FW1
  Added Site S to the existing interesting traffic ACL and added a 'NO NAT' for it like so;
  object network S-CLIENTS
  subnet 65.253.1.0 255.255.255.0
  access-list VPN-INTERESTING-TRAFIC extended permit ip object S-CLIENTS object B-CLIENTS
  nat (inside,outside) source static S-CLIENTS S-CLIENTS destination static B-CLIENTS B-CLIENTS
  At this point packet tracer said the traffic was being blocked by ACL so I added
  access-list inbound extended permit ip object B-CLIENTS object S-CLIENTS
  access-list inbound extended permit icmp object B-CLIENTS object S-CLIENTS
  access-group inbound in interface outside
  Now Packet Tracer was happy, Still B-Client Cannot Ping S-Client!
  W-FW1 can ping S-Client
  Attempting to ping S-Client from B-Client brings up the tunnel (phase 1 and 2) but no traffic ever travels BACK to B-Client.
  Running Wireshark on the 106.200.194.1 interface of S-FW1 whilst attempting to ping 65.253.1.10 from S-FW1 shows traffic (as expected) but if I ping from B-Client it gets nothing (so I'm assuming the traffic never gets out of W-FW1
  Help!

  First check if the packet from the S client is making it back to the W-F1. 
  Configure Captures on the interface that is connected to the 106.200.194 subnet. 
  #cap capin interface <interface name> match ip host <sclient ip> host <bclient ip>
  #show cap capin
  Capture is bidirectional. Hence no need to enable it in the opposite direction.
  If the packet is seen coming back from the  Sclient and still not getting encrypted then do asp drop capture to see if the ASA is dropping it
  #capture asp type asp-drop all
  send the traffic.
  #show cap asp | in <Sclient IP>
  If the packet is see in this capture then the ASA is dropping it.
  Then do a packet tracer to see why it is dropping it.
  #packet-t input <Sclient connected interface name> icmp <sclient IP> 8 0 <b client IP> det.
  Check why the packet is dropping.
  if the capin capture does not see the reply packet then check the reply path and routing.