How do I NAT inbound traffic from a site to site VPN?
OK, This is confusing me....
I have an ASA5520 and need to set up multiple VPN's to some vendor sites. All these vendors are using 192.168.1.0 networks. All have public IP's and very little knowledge so are unable to NAT from their end.
The idea is to create some /28 blocks of IP's (172.29.0.0/28) and manage this on our end.
How do I get this to work?
Thanks in advance....
Brent
example: (all IP's are fictional)
tunnel1
VPN
My side "outside" 10.10.10.10
Their side "outside" 20.20.20.20
Networks
My side "inside" 172.30.30.0
Their side "inside" 192.168.1.0 NAT'ed to 172.29.0.0/28
tunnel2
VPN
My side "outside" 10.10.10.10
Their side "outside" 30.30.30.30
Networks
My side "inside" 172.30.30.0
Their side "inside" 192.168.1.0 NAT'ed to 172.29.0.16/28
tunnel3
VPN
My side "outside" 10.10.10.10
Their side "outside" 40.40.40.40
Network (single address)
My side "inside" 172.30.30.1 255.255.255.255
Their side "inside" 192.168.1.1 255.255.255.255 NAT'ed to 172.29.0.33 255.255.255.255
Hi bbanderson,
It can handle multiple VPN NATs.
All youve got to do is make multiple instances of the same crypto-map
like crypto-map crypto-map-name 1 peer-ip
" " 1 transform-set ....etc, etc.
crypto-map crypto-map-name 2
" " 2 transform-set ....etc, etc.
for the different peers 10.10.10.10, 20.20.20.20, etc, and match the ip address to each access-list there under each map instance.
crypto map Outside_map0 3 match address -this can be taken as an example.
HTH
Cheers
Arun
Similar Messages
-
How to create an inbound Idoc from an inbound IDoc in same client
How to create an inbound Idoc from an inbound IDoc in same client
Idoc will come from XI as an inbound idoc to SAP, now I have to read this inbound Idoc and split it into Several Inbound Idocs and now needs to be posted in the same client.
please let me know the procedure..
Thanks in advance,
SagarHi Sagar,
Develop a cusom Z-Inbound function module, configure the Z-FM to trigger when idoc is recieved from XI. In your Z-Inbound function module split the idoc (Recieved from XI) into respective Idocs and Using MASTER_IDOC_DISTRIBUTE post the IDOCs into the same system.
Thanks & Regards -
How can we transfer product attributes from an already existing site? We have thousands of items and it would be tedious to do them one at a time. Is this possible through a CSV?
There are two parts to this:
1) It may be that you should have an Apple Education Support person helping you with this. If you have enough computers for this to be a problem, you may benefit from a Server, a site license, and an occasional visit from an Education Support Specialist.
2) The brief answer, if you want Individual Apple_IDs to control each computer, is to buy new copies of Mac OS X under those new Apple_IDs and re-download and re-Install. Mac OS X is customized to the Apple_ID before it is downloaded. -
How to create a inbound IDOC from flat file in Application server
HI All
Our requirement is to create the Inbound idocs from a flat file from application server with in R/3
Could any body please let me know the steps required for this.
Thanks
Malli1. Read the file using OPEN DATASET and read and fill up the segment info and fill the EDIDC header data
and then call function
CALL FUNCTION 'INBOUND_IDOC_PROCESS'
TABLES
IDOC_CONTROL = i_edidc
IDOC_DATA = i_edid4.
a® -
How can I permit all traffic from inside-dmz-outside on asa5505
Scenario :
Servers are in DMZ, Internal LAN Users should access ports Specified (5000 & 2048). Router 2801 is facing Leased line; from there it’s connected to firewall.
Router LAN IP: 83.111.X.X - 255.255.255.X
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.X.X 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 83.111.X.X 255.255.255.240
interface Vlan3
nameif dmz
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 83.111.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:5663409d6ba3ad0bcd163e691f032f76
: endHi Ben,
Thank you for the response. I followed the link and tried reading everything you posted on AEs but I'm afraid that I didn't understand it all. It seems that each AE example had a single input and a single output (e.g. a double). Is this the case?
What I have is a couple of front panel clusters containing (approximately) 18 control doubles, 8 indicator doubles, 5 boolean radio button constructs and 26 boolean control discretes. I clusterized it to make it readable. In addition I'll eventually have a cluster of task references for hardware handles.
All I want to do is update the front panel values like I would do in a C, VB or any other language. I've tried referencing the cluster and using the reference from inside the loops. I've tied using local variables. Neither works. I'm experimenting with globals but it seems that I have to construct the front panel in the gloabal and then I wouldn't know how to repoduce that on the front panel of the main VI. Sometimes it seems that more time is spent getting around Labview constructs than benefitting from them.
I hope the 'Add Attachment' function actuals puts a copy of the VI here and not a link to it.
Thanks again for the suggestion,
Frank
Attachments:
Front Panel Reference.vi 33 KB -
How do I download a file from Adobe to a site that wants my resume on an ipad
How do I download resume onto a career site on an ipad
Currently, there is no direct way to download a file on Acrobat.com to Documents (local storage) on your iPad.
You can open a file on Acrobat.com, send it as an email attachment, open the email attachment in Adobe Reader for iOS. -
How do I find apps downloaded from a third party site?
I downloaded a VPN app but I cannot find it to start it. Can anyone help?
You can't download apps from third-party sites, you can only download them via the App Store app on the iPad or via the iTunes store on your computer (which you can then sync to the iPad).
-
I am running VPN Client Version 5.0.00.0340. I have internal and external nics on the server. Once I have the tunnel established (inside internal nic) I seem to be dropping the inbound packets between the external and internal nics. Any suggestions?
Well no - not really. The VPN client will establish the connection to the remote end using the local routing table it has. From that point onwards - that is the terminating IP address of the vpn session. From the machine itself mit should be assigned an IP address from the remote VPN server - this IP address will be used the recevie and send encrypted traffic from the central end.
If you have an internal NIC in the server you also have the VPN client on....do you want to send traffic from your LAN thu the VPN client to the remote end? If so - the external & internal NIC's must be on the same IP subnet. As the remote VPN client cannot be used as a pass thru devices from 2 different subnets....unless you perform NAT on the device with the VPN client.....if you are doing that - you may as well just by a firewall or router!
HTH. -
Access Site to Site from SSL VPN. ISA 570 & ASA 5505
I have an Site to Site network between my ISA 570 and my ASA 5505.
On the ISA 570 side I have the network 192.168.0.0/24 and remote users that are connecting via AnyConnect are in the 192.168.190.0/24
On the ASA 5505 side I have the netowrk 192.168.200.0/24
The Site to Site is working properly i can reach the networks from both sides.
But when I am connected via AnyConnect to the ISA firewall I will also access the 192.168.200.0/24 network on the ASA side.
I have made an firewall (in the ISA 570) rule that are allowing traffic from SSLVPN to VPN, but I need to nat the traffic from the 192.168.190.0/24 to 192.168.200.0/24 otherwise the ASA are blocking the traffic. I can solve the problem in the ASA but i want to solve it in the ISA 570.I have solved my problem.
Just added an Advanced NAT.
From: Any (this will be changed to proper network later)
To: Any (this will be changed to proper network later)
Original Source Adress: Any (this will be changed to proper network later)
Original Destination Adress: Site_B (192.168.200.0/24)
Original services: Any
Translated source adress: IP of my ISA 570 (192.168.0.1)
Translated destination adress: Site_B (192.168.200.0/24)
Translated services: Any -
Static-nat and vpn tunnel bound traffic from same private address?
Hi guys,
I have site-to-site tunnel local host @192.168.0.250 and remote-host @172.16.3.3.
For this local host @192.168.0.250, I also have a static one-to-one private to public.
static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
As you can see, IPSec SA shows end-points in question and traffic is being decrypted but not encrypted host traffic never enter into the tunnel, why?
How can I resolve this problem, without complicating the setup ?
BurlingtonASA1# packet-tracer input mgmt-192 icmp 192.168.0.250 8 0 172.16.3.3
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside-50
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 mgmt-192
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group mgmt_intf in interface mgmt-192
access-list mgmt_intf extended permit icmp any any
access-list mgmt_intf remark *** Permit Event02 access to DMZ Intf ***
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip mgmt-192 host 192.168.0.250 outside-50 host 172.16.3.3
NAT exempt
translate_hits = 5, untranslate_hits = 0
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
nat-control
match ip mgmt-192 host 192.168.0.250 outside-50 any
static translation to 216.9.50.250
translate_hits = 25508, untranslate_hits = 7689
Additional Information:
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (mgmt-192,dmz2-172) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
nat-control
match ip mgmt-192 192.168.0.0 255.255.255.0 dmz2-172 any
static translation to 192.168.0.0
translate_hits = 28867754, untranslate_hits = 29774713
Additional Information:
Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1623623685, packet dispatched to next module
Result:
input-interface: mgmt-192
input-status: up
input-line-status: up
output-interface: outside-50
output-status: up
output-line-status: up
Action: allow
BurlingtonASA1#
Crypto map tag: map1, seq num: 4, local addr: 216.9.50.4
access-list newvpn extended permit ip host 192.168.0.250 host 172.16.3.3
local ident (addr/mask/prot/port): (192.168.0.250/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.3.3/255.255.255.255/0/0)
current_peer: 216.9.62.4
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.9.50.4, remote crypto endpt.: 216.9.62.4
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 37CA63F1
current inbound spi : 461C843C
inbound esp sas:
spi: 0x461C843C (1176273980)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 77398016, crypto-map: map1
sa timing: remaining key lifetime (kB/sec): (3914997/25972)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x003FFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x37CA63F1 (936010737)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 77398016, crypto-map: map1
sa timing: remaining key lifetime (kB/sec): (3915000/25972)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Hi
intersting VPN ACL
object-group network DM_INLINE_NETWORK_18
network-object YYY.YYY.YYY.0 255.255.255.0
object-group network DM_INLINE_NETWORK_22
network-object UUU.UUU.UUU.0 255.255.255.0
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
Static NAT
static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
No NAT
object-group network DM_INLINE_NETWORK_20
network-object UUU.UUU.UUU.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
VPN CLient Pool
No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
I hope this helps
Thanks -
How can i configure my iphone to only pass traffic from certain apps over vpn
I have got a telephony app that connects to a phone system through vpn. when I turn on "send all traffic through vpn" internet and other apps are really slow. is their a way to configure the phone to send only traffic from the app through VPN.
Now all my new apps as well as several others are gone from the iPhone.
Look on other screens. The 4.1 update ands Game Center to the home screen. If that screen was full it create a blank screen and moves one app from the home screen to the new screen to make room for Game Center. All the other screens are pushed back one place.
How can I get my apps back? It cost me a lot of time and money to discover those apps and get them onto the phone. Are they just gone now?
If they are really gone, you can download them again. You will not be charged again if you use the same iTunes account. -
How to create Inbound Idoc from XML file-Need help urgently
Hi,
can any one tell how to create inbound Idoc from XML file.
we have xml file in application server Ex. /usr/INT/SMS/PAYTEXT.xml' we want to generate inbound idoc from this file.we are successfully able to generate outbound XML file from outbound Idoc by using the XML port. But not able to generate idoc from XML file by using we19 or we16.
Please let me know the process to trigger inbound Idoc with out using XI and any other components.
Thanks in advance
Dora ReddyHi .. Did either of you get a result on this?
My question is the same really .. I am testing with WE19 and it seems SAP cannot accept an XML inbound file as standard.
I see lots of mention of using a Function Module.
Am I correct in saying therefore that ABAP development is required to create a program to run the FM and process the idoc?
Or is there something tht can be done with Standard SAP?
Thanks
Lee -
VRF-Lite on one 6509; How to route traffic from global to VRF.
To anyone that can lead me in the right direction:
I have a 6509 switch with IOS " s3223-adventerprise_wan-mz.122-33.SXJ2.bin" on it. I am running VRF-lite on it and would like to route some subnets from the global route table to the VRF route table. How can I do this and stay on the same physical switch. I am using EIGRP for the global network and route table and static routing within the the VRF. Any suggestions or recommendations? Thanks in advance for your help in this matter...Hello,
You need to use (Static route) in both directions, One Static in the VRF table points to the Global interface, and another one in the Global point to the VRF interface for the recieved traffic. After that, you Can Redistribute the Global Static route into Eigrp for end-to-end connectivity!
Example:
Consider you have 2 interfaces in your Core SW-6509: One is G0/1 and the other is G0/2
G0/1 is placed into the Global table , and G0/2 is part of VRF (X)
interface G0/1
IP address 1.1.1.1 255.255.255.0
inteface G0/2
ip vrf forwarding X
ip address 2.2.2.2 255.255.255.0
Consider Subnet Y.Y.Y.Y in the Global and you want to have it accessible from the VRF!
configure this: (ip route vrf X y.y.y.y y.y.y.y.y G0/1 Global)
Configure also this for the return traffic from the Global table: (ip route 2.2.2.2 z.z.z.z G0/2)
You Can then redistribute the Global static into the Eigrp as below:
router Eigrp 1
no auto summary
redistribute static metric 1.1.1.1.1
HTH
Mohamed -
We have a CFTV system running on Win2008R2 that listens on 4 sequential port numbers and the last port is the Web Browser Port number for management and viwing cameras
When we configure the port 8077 on the software, it opens 8077, 8078, 8079 and 8080 and works with no problem
But...
When we try to configure ports 77 (and therefore 77, 78, 79 and 80) thw applications hangs and seems like not be possible to configure to use port 80
I could confirm that, using NETSTAT and the main CFTV application open all required ports with no problem, but only works on ports with a different number from "80", wich is what i want, to make users more confortable, avoiding to type ":PORT_NUMBER"
after the URL, it will be more "ellegant" solution to use default port 80 for user´s connections
The question is: How to do a PortForward/Port Proxy? Redirecting traffic from port 8080 to 80 on the SAME machine?
May i Use NETSH? (based on Help, it can be used to do this, but on different machines, not the same one)
There is a RELIABLE application, running as a service, that can do the port forward/redirect?Hi,
I’m sorry to tell you that we can’t redirect traffic from a port to another port on the same server itself. But we can do it with a router which is configured to portfoward.
By the way, according to your description, another program may use the port 80. Is there an IIS installed on the server? If it is necessary, you can consult your CFTV system vendor.
Hope this helps.
Steven Lee
TechNet Community Support -
How to redirect Internet traffic from RV082 to RV042 through a VPN Tunnel??
Fellows,
We have offices in USA and Venezuela.
In our USA office we have a RV042 router and in Venezuela we have a RV082 router.
We have connected a VPN tunnel (gateway-to-gateway) between both offices.
The point is:
How could we redirect the internet traffic from our Venezuela office (RV082) to the USA Office (RV042) to navigate using USA public IP's?
The reason for this is that we need to use online streaming services which are only available for IP's from USA and we can't use them from the Venezuelan IP's.
We can not use the PPTP option since the equipment which will use the streaming services (like hulu, crackle, etc.) in Venezuela is a Google TV device which doesn't allow the configuration of proxy navegation or PPTP VPN connections itself. That's the reason why we need to do that through the routers.
We will really appreciate your support on this matter.
DanielHi Daniel, this is called ESP wildcard forwarding which the router does support.
https://supportforums.cisco.com/docs/DOC-12534 <- This is older but applicable
https://supportforums.cisco.com/message/3766661
-Tom
Please mark answered for helpful posts
Maybe you are looking for
-
(Note: I have deleted all Cached items on HD and User area.)
-
Upgrade dreamweaver 2 to dreamweaver 8?
Hello folks, I have lying around a copy of Dreamweaver 2, have obviously not done a thing for quite some time :-) Now i'm interested in doing some webdesign again and would like to upgrade to Dreamweaver 8, mostly because of the improved CSS handling
-
Hi, I need to identify from a give material code that where all it has been used in BOM as component. Is there any function module which I can directly use to get this information. I need material no., Alt BOM, and Plant as output. I know it can be a
-
Exp-00079 EXEMPT ACCESS POLICY
hi everybody ; i have 9.0.1.3.0 which is used for Enterprise Manager and catalog database ( for RMAN ) ... when i try to run the exp command i get exp-00079 error message... i search for this error on web also Metalink. As i learn that the user must
-
Sales Order Type "Kit" in GATP
Hi All, It is possible to use Sales Order type Kit to make availability check? Example: Item: Inital Kit Childs: Mat A, Mat B and Mat C. When I input this Inicial Kit, yours childs are generated, but the system do not check the availability. I need t