IPsec ASA5510 to ASA5505 with NAT

Hello All,
Im struggling to work out the best way to setup an ipsec and be able to NAT,
I have a requirement for a customer who needs connects to my network over IPsec.
He needs to connect to 2 differant servers which sit behind respective firewalls.
in order to successfully connect to either he needs to source from a specific IP and target specific IPs/ports.
Please see the topology attached. How can the customer setup NAT on his network so that he can hit my ASA5510 for the differant targets?
Please provide some sample config if possible..
Many thanks in advance..

Similar Messages

IPSEC tunnel with NAT and NetMeeting

I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
Thanks,

The following doc should help...
http://www.cisco.com/warp/public/707/ipsecnat.html

Two Cisco ASA 5505, IPSec Multiple Subnets, Problem with Phase2, DSL

Hi all.
we have following IPSec configuration:
ASA Site 1:
Cisco Adaptive Security Appliance Software Version 9.1(1)
crypto ipsec ikev1 transform-set TSAES esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TSMD5 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal PropAES256
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.28.60.0 255.255.254.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.99.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.99.0 255.255.255.0
crypto map CMVPN 5 match address SITE_2
crypto map CMVPN 5 set peer IP_SITE2
crypto map CMVPN 5 set ikev2 ipsec-proposal PropAES256
crypto map CMVPN interface OUTSIDE
route OUTSIDE 172.27.97.0 255.255.255.0 citic-internet-gw 255
route OUTSIDE 172.27.99.0 255.255.255.0 citic-internet-gw 255
tunnel-group IP_SITE2 type ipsec-l2l
tunnel-group IP_SITE2 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
ASA Site 2:
Cisco Adaptive Security Appliance Software Version 9.1(4)
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.28.60.0 255.255.254.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.22.0.0 255.255.0.0
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 set peer IP_SITE1
crypto map CMVPN 10 set ikev2 ipsec-proposal IKEV2AES
crypto map CMVPN 10 set reverse-route
crypto map CMVPN interface OUTSIDE
tunnel-group IP_SITE1 type ipsec-l2l
tunnel-group IP_SITE1 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
We are not able to reach from 172.22.20.x ips 172.27.99.x.
It seems so that the phase2 for this subnet is missing…...... as long as we try to reach from 172.27.99.x any ip in 172.22.20.x.
We are using similar configuration on many sites and it works correctly expect sites with DSL line.
We can exclude problem with NAT,ACL or routing. The connection is working fine as long as “we open all phase 2 manually” . After re-open (idle timeout) the tunnel the problem comes back.
Thanks in advance for your help.
Regards.
Jan
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection   : IP ASA Site 2
Index        : 3058                   IP Addr      : IP ASA Site 2
Protocol     : IKEv2 IPsec
Encryption   : IKEv2: (1)AES256 IPsec: (3)AES256
Hashing      : IKEv2: (1)SHA512 IPsec: (3)SHA1
Bytes Tx     : 423634                 Bytes Rx     : 450526
Login Time   : 19:59:35 HKT Tue Apr 29 2014
Duration     : 1h:50m:45s
IKEv2 Tunnels: 1
IPsec Tunnels: 3
IKEv2:
Tunnel ID    : 3058.1
UDP Src Port : 500                    UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption   : AES256                 Hashing      : SHA512
Rekey Int (T): 86400 Seconds          Rekey Left(T): 79756 Seconds
PRF          : SHA512                 D/H Group    : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID    : 3058.2
Local Addr   : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption   : AES256                 Hashing      : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds          Rekey Left(T): 22156 Seconds
Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607648 K-Bytes
Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
Bytes Tx     : 312546                 Bytes Rx     : 361444
Pkts Tx      : 3745                   Pkts Rx      : 3785
IPsec:
Tunnel ID    : 3058.3
Local Addr   : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption   : AES256                 Hashing      : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds          Rekey Left(T): 22165 Seconds
Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607952 K-Bytes
Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
Bytes Tx     : 50014                  Bytes Rx     : 44621
Pkts Tx      : 496                    Pkts Rx      : 503
IPsec:
Tunnel ID    : 3058.4
Local Addr   : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption   : AES256                 Hashing      : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds          Rekey Left(T): 22324 Seconds
Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607941 K-Bytes
Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
Bytes Tx     : 61074                  Bytes Rx     : 44461
Pkts Tx      : 402                    Pkts Rx      : 437
NAC:
Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
SQ Int (T)   : 0 Seconds              EoU Age(T)   : 6648 Seconds
Hold Left (T): 0 Seconds              Posture Token:
Redirect URL :
....  after ping from 172.27.99.x any ip in 172.22.20.x.
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection   : IP ASA Site 2
Index        : 3058                   IP Addr      : IP ASA Site 2
Protocol     : IKEv2 IPsec
Encryption   : IKEv2: (1)AES256 IPsec: (4)AES256
Hashing      : IKEv2: (1)SHA512 IPsec: (4)SHA1
Bytes Tx     : 784455                 Bytes Rx     : 1808965
Login Time   : 19:59:35 HKT Tue Apr 29 2014
Duration     : 2h:10m:48s
IKEv2 Tunnels: 1
IPsec Tunnels: 4
IKEv2:
Tunnel ID    : 3058.1
UDP Src Port : 500                    UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption   : AES256                 Hashing      : SHA512
Rekey Int (T): 86400 Seconds          Rekey Left(T): 78553 Seconds
PRF          : SHA512                 D/H Group    : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID    : 3058.2
Local Addr   : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption   : AES256                 Hashing      : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds          Rekey Left(T): 20953 Seconds
Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4606335 K-Bytes
Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
Bytes Tx     : 652492                 Bytes Rx     : 1705136
Pkts Tx      : 7419                   Pkts Rx      : 7611
IPsec:
Tunnel ID    : 3058.3
Local Addr   : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption   : AES256                 Hashing      : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds          Rekey Left(T): 20962 Seconds
Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607942 K-Bytes
Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
Bytes Tx     : 60128                  Bytes Rx     : 52359
Pkts Tx      : 587                    Pkts Rx      : 594
IPsec:
Tunnel ID    : 3058.4
Local Addr   : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption   : AES256                 Hashing      : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds          Rekey Left(T): 21121 Seconds
Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607931 K-Bytes
Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
Bytes Tx     : 70949                  Bytes Rx     : 50684
Pkts Tx      : 475                    Pkts Rx      : 514
IPsec:
Tunnel ID    : 3058.5
Local Addr   : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption   : AES256                 Hashing      : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds          Rekey Left(T): 28767 Seconds
Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4608000 K-Bytes
Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
Bytes Tx     : 961                    Bytes Rx     : 871
Pkts Tx      : 17                     Pkts Rx      : 14
NAC:
Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
SQ Int (T)   : 0 Seconds              EoU Age(T)   : 7852 Seconds
Hold Left (T): 0 Seconds              Posture Token:
Redirect URL :

Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji.

Problem with nat-ing on asa 5505

i have the asa5505 with asa8.4.2 and asdm 6.4.5. i use this asa5505 for connecting my network 192.168.0.0/24 with network 10.15.100.0/24. my wan port of asa5505 on network 10.13.74.0/24, lan port is on 192.168.0.0./24. this configuration worked ok until my isp changed router on address 10.13.74.1. i nat-ed on asa5505, i puted access policy and i had access network 10.15.100.0/24. but now i can't. the users from network can access devices on addresses 192.168.0.20 and 192.168.0.22 but i can't access the network 10.15.100.0/24. my configuration of asa5505 is:
Result of the command: "show runn": Saved:ASA Version 8.4(2) !hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.0.17 255.255.255.0 !interface Vlan2 nameif outside security-level 0 ip address 10.13.74.33 255.255.255.0 !ftp mode passiveobject network obj_any subnet 0.0.0.0 0.0.0.0object network server host 192.168.0.20object network sharepointdri host 192.168.0.22object network paragraflex host 192.168.0.20object network dri.local subnet 192.168.0.0 255.255.255.0object service ParagrafLex1 service tcp source eq 6190 description Odlazniobject service paragraf service tcp destination eq 6190 description dolazniobject network nonat host 192.168.0.20object network lokalnamreza range 192.168.0.1 192.168.0.254object network natnetwork subnet 192.168.0.0 255.255.255.0object network natmreze subnet 192.168.0.0 255.255.255.0object-group service DM_INLINE_SERVICE_2 service-object ip service-object icmp echo-reply service-object tcp object-group service DM_INLINE_SERVICE_1 service-object icmp echo-reply service-object tcp service-object ip service-object tcp destination eq domain service-object tcp destination eq ldap service-object object ParagrafLex1 object-group service DM_INLINE_SERVICE_8 service-object ip service-object tcp service-object icmp echo-replyobject-group service DM_INLINE_SERVICE_3 service-object tcp service-object tcp destination eq domain service-object tcp destination eq ldap object-group service DM_INLINE_SERVICE_4 service-object tcp service-object icmp echo-replyobject-group protocol DM_INLINE_PROTOCOL_2 protocol-object udp protocol-object tcpobject-group protocol TCPUDP protocol-object udp protocol-object tcpobject-group service DM_INLINE_SERVICE_5 service-object ip service-object icmp echo-replyobject-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object tcpobject-group service DM_INLINE_SERVICE_6 service-object ip service-object tcp service-object icmp echo-reply service-object icmp service-object tcp destination eq https object-group service DM_INLINE_SERVICE_7 service-object ip service-object tcp service-object icmp echo-reply service-object tcp destination eq https object-group network DM_INLINE_NETWORK_1 network-object 10.13.74.0 255.255.255.0 network-object 10.15.100.0 255.255.255.0object-group service DM_INLINE_SERVICE_9 service-object tcp-udp service-object tcp destination eq https service-object tcp destination eq domain object-group service DM_INLINE_SERVICE_10 service-object ip service-object tcp service-object icmp echo-replyobject-group service DM_INLINE_SERVICE_11 service-object ip service-object tcp service-object icmp echo-replyaccess-list nonat extended permit object-group DM_INLINE_SERVICE_8 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 access-list inside_access_out extended permit object-group DM_INLINE_SERVICE_6 any any access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object dri.local 10.15.100.0 255.255.255.0 access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_7 any any access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 object dri.local 10.13.74.0 255.255.255.0 access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_4 any any access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 192.168.0.0 255.255.255.0 10.13.74.0 255.255.255.0 access-list outside_access_in_1 extended permit object paragraf any object server access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any object server access-list outside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any object sharepointdri access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_10 object natmreze any access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_9 any any access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_11 object natmreze 10.15.100.0 255.255.255.0 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp outside 10.13.74.1 000d.bd64.a8e2 arp timeout 14400!object network server nat (inside,outside) static 10.13.74.34 dnsobject network sharepointdri nat (any,any) static 10.13.74.39object network nonat nat (inside,outside) static 192.168.0.20object network natmreze nat (any,any) static 10.13.74.42 dnsaccess-group inside_access_in in interface insideaccess-group inside_access_out out interface insideaccess-group outside_access_in_1 in interface outsideaccess-group outside_access_out out interface outsideroute outside 0.0.0.0 0.0.0.0 10.13.74.1 1route outside 10.15.100.0 255.255.255.0 10.13.74.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALhttp server enablehttp 192.168.0.0 255.255.255.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstarttelnet timeout 5ssh timeout 5console timeout 0dhcpd auto_config outside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map type inspect ftp paragraf parameterspolicy-map global_policy class inspection_default inspect dns inspect icmp inspect ip-options inspect netbios inspect tftp inspect h323 h225 inspect h323 ras !service-policy global_policy globalprompt hostname context state priority domain no call-home reporting anonymousCryptochecksum:61572938ed01b1c7447e43fcb2df4bc8: end
what i do? plz help me?
thanks

Please do this, and let me know how it goes
no access-list nonat extended permit object-group DM_INLINE_SERVICE_8 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 object dri.local 10.13.74.0 255.255.255.0
no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_4 any any
no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 192.168.0.0 255.255.255.0 10.13.74.0 255.255.255.0
access-list inside_access_in line 1 permit ip 192.168.0.0 255.255.255.0 any
access-list outside_access_in_1 line 1 permit ip any 192.168.0.0 255.255.255.0
no object network nonat
no access-group inside_access_out out interface inside
no access-group outside_access_out out interface outside
no route outside 10.15.100.0 255.255.255.0 10.13.74.1 1

Problems with NAT and UDP

hi Everyone,
I'm running a Cisco 3620 with two interfaces, a FE and an ADSL WIC, and I'm noticing some unexpected behaviour with NAT(ing) some UDP ports, here are the config rules in question:
ip nat inside source static udp 192.168.100.26 14000 interface Dialer1 14000
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14001
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14002
when I receive traffic through those ports, I see the following in
show ip nat translations | include 14000
udp 64.7.136.227:1038     192.168.100.26:14000 67.163.252.29:62564    67.163.252.29:62564
udp 64.7.136.227:1039     192.168.100.26:14000   67.163.252.29:62564   67.163.252.29:62564
udp 64.7.136.227:1040      192.168.100.26:14000 67.163.252.29:62564   67.163.252.29:62564
udp 64.7.136.227:1041     192.168.100.26:14000 67.163.252.29:62564    67.163.252.29:62564
udp 64.7.136.227:1042     192.168.100.26:14000   67.163.252.29:62564   67.163.252.29:62564
udp 64.7.136.227:1043      192.168.100.26:14000 67.163.252.29:62564   67.163.252.29:62564
udp 64.7.136.227:1044     192.168.100.26:14000 67.163.252.29:62564    67.163.252.29:62564
udp 64.7.136.227:14000    192.168.100.26:14000   ---                   ---
How can I make this NAT static so that every host originates from port 14000 rather then a dynamic one that is being assigned now?
Any help is greatly appreaciated.
Aleks

Perhaps I wasn't clear enough in what I needed it to do, here's a show ip nat translations for another (working) NAT
(d) port on the same router:
tcp 64.7.136.227:6667     192.168.100.199:6667 xxx.xxx.xxx.xxx:54375 xxx.xxx.xxx.xxx:54375
tcp 64.7.136.227:6667     192.168.100.199:6667 xxx.xxx.xxx.xxx:50183 xxx.xxx.xxx.xxx:50183
tcp 64.7.136.227:6667     192.168.100.199:6667 xxx.xxx.xxx.xxx:50891 xxx.xxx.xxx.xxx:50891
tcp 64.7.136.227:6667     192.168.100.199:6667 xxx.xxx.xxx.xxx:60443   xxx.xxx.xxx.xxx:60443
tcp 64.7.136.227:6667     192.168.100.199:6667 xxx.xxx.xxx.xxx:2897     xxx.xxx.xxx.xxx:2897
tcp 64.7.136.227:6667     192.168.100.199:6667 xxx.xxx.xxx.xxx:51890    xxx.xxx.xxx.xxx:51890
Notice how the forwarded port is the same on the router interface (64.7.136.227:6667) accross all of the connections that have connected. Now this NAT rule behaves as it should, same syntax used as for the one I originally posted
ip nat inside source static tcp 192.168.100.199 6667 interface Dialer1 6667
the only difference is that this one gets properly assigned to the requested port, whereas these rules
ip nat inside source static udp 192.168.100.26 14000 interface Dialer1 14000
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14001
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14002
have a dynamically assigned port on (64.7.136.227) interface, as the show ip nat translations shows:
udp 64.7.136.227:1038     192.168.100.26:14000 67.163.252.29:62564     67.163.252.29:62564
udp 64.7.136.227:1039     192.168.100.26:14000    67.163.252.29:62564   67.163.252.29:62564
udp 64.7.136.227:1040       192.168.100.26:14000 67.163.252.29:62564   67.163.252.29:62564
Basically how do I get the three rules to behave the same way as the one on top does...
Thank you,
Aleks

How to configure BODS in network environment with NAT ?

Hi Team,
Now we are working on POC of BO Data Services 4.0 with SI partner and they reported us that a communication error (error code:BODI-1241023) occurred when they started a job from Designer.
They can do it without any problems in the following two cases.
1. from Designer which is installed in the CMS/JobServer machine
2. from Designer which is installed in local PC within internal network (without firewall / NAT)
That is, the cause is Firewall with NAT(Network Address Translation) between Designer and JobServer/CMS.
And, they can log on to CMS/JobServer with NAT environment, however, cann't start a job from Designer.
The port #3500 for JobServer is open. They confirmed that they could log on to the JobServer in the event log
of the JobServer.
That is, Designer -> CMS/JobServer communication is OK, but JobServer -> Designer communication must be NG.
Could you advise us how to configure BODS both client and server sides in the network environment with NAT ?
Thanks and best regards,

HI Buddy,
You can achieve this by $FLEX$, create first value set, and assign it to first field. Create second value set based on first value set using $FLEX$.
follow steps mentioned in the bellow link
http://erpschools.com/articles/usage-of-flex

Example Config ACE routed mode with NAT

Hi all,
i have a two-arm loadbalancer (routed mode).
client ->vlan100->[VIP]Loadbalancer[NAT] ->vlan200-> serverfarm
But i have my problems to configure the NAT. Can anybody show me a example configuration of a two-arm loadbalancer with NAT?
Especially the access-list, class-map, policy-map and on which interface the NAT-Policy must be added.
BR
Dominik

Hi Dominik,
Something like this:
access-list ANYONE line 10 extended permit ip any any
rserver host SERVER_01
ip address 10.198.16.2
inservice
rserver host SERVER_02
ip address 10.198.16.3
inservice
rserver host SERVER_03
ip address 10.198.16.4
inservice
serverfarm host REAL_SERVERS
rserver SERVER_01
    inservice
rserver SERVER_02
    inservice
rserver SERVER_03
    inservice
class-map match-all VIP-30
2 match virtual-address 192.168.1.30 tcp eq www
class-map type management match-any REMOTE_ACCESS
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
policy-map type management first-match REMOTE_MGT
class REMOTE_ACCESS
    permit
policy-map type loadbalance first-match SLB_LOGIC
class class-default
    serverfarm REAL_SERVERS
policy-map multi-match CLIENT_VIPS
class VIP-30
    loadbalance vip inservice
    loadbalance policy SLB_LOGIC
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
interface vlan 451
    ip address 192.168.1.2 255.255.255.0
access-group input ANYONE
service-policy input CLIENT_VIPS
no shutdown
interface vlan 452
description Servers vlan
ip address 10.198.16.1 255.255.255.0
access-group input ANYONE
nat-pool 1 10.198.16.5 10.198.16.5 netmask 255.255.255.0 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Cesar R
ANS Team

IPSEC b/w ASA and Router --- with nat stuff

I need help regarding the following issue..
An asa is connected to a router which is connected to the internet.
A vpn must be established b/w ASA and a router that is over internet . The ASA is not directly connected to the internet. It is connected to a router which nat the Asa outside ip to a static global IP .
All i need to know is that do need any special configs for this . or its the same as if ASA would have been directly connected to the internet

In order to configure a LAN-to-LAN tunnel between a Cisco IOS? router and an Adaptive Security Appliance (ASA), these configurations are required on the ASA:
Configure the crypto ipsec command in Phase 2.
Configure the isakmp policy command.
Configure the nat 0 command and the access-list command in order to bypass NATting.
Configure the crypto-map command.
Configure the tunnel-group DefaultL2LGroup command with group information

Help with VPN ASA5510 to ASA5505

Hello All
I would like to request help from the community. Let me say that I'm not really a VPN guy.
I just joined this company and they already ad a VPN to one of their partners that provides them access to some resources. We have now added a 2nd location but the partner wouldnt allow a 2nd VPN tunnel so the decision was made to give the new location a ASA5505 to tunnel thru the main office to access the resources at the partners site.
Using ASDM i believe i was able to setup the tunnel to the main office but there is no resource there to use. Now i'm stuck and i do not know what to do to get to the partner site
I would really appreciate your help
See documents attached
Thank you in Advance

Jennifer Halim
I really thank you for your help when i needed it. On top of your config provided, and with a friend's help we had to add the follwing to make it work:
Access-list outside_nat extended permit ip 172.16.8.0 255.255.255.0 object-group W_dest
Nat (outside) 1 access-list outside_nat
Now we are still testing access to all the tools but it seems to be working fine.
Thank you,

ASA5505 Upgrade to 9.1.5 from 8.4.1 - problem with nat and accessing external host

When running on 8.4 i had a working config with the following scenario.
I have 2 interfaces configured as the outside interface.
One is connected to my internet connection
The other one is connected to a host that has a public ip.
The public host can access internet and also a PAT port on an internal host.
But after the upgrade the internal hosts can't access the external host but everything else on internet
packet-tracer input inside tcp 10.x.x.11 1024 x.x.x.89 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in x.x.x.0 255.255.240.0 outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
If i add 1 to the destination ip:
packet-tracer input inside tcp 10.x.x.11 1024 x.x.x.90 22
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in x.x.x.0 255.255.240.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any4 any4
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Dynamic translate 10.x.x.11/1024 to x.x.x.80/1024
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 98586, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Nat rules:
nat (inside,outside) source static IPv6_HOST interface service https https
nat (inside,outside) source static IPv6_HOST interface service http http
nat (inside,outside) source static IPv6_HOST interface service ssh ssh
nat (inside,outside) source static INTERNAL interface destination static EXTERNAL EXTERNAL service apcupsd apcupsd
nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
nat (inside,outside) source dynamic any interface
The EXTERNAL is the host that is connected to an outside interface and that NAT rule works ok.
I can ping the EXTERNAL host from the ASA but not from the internal network.
Any ideas would be appreciated.

Hmmm, by adding the following i got it working:
nat (inside,outside) source static IPv6_HOST interface service https https
nat (inside,outside) source static IPv6_HOST interface service http http
nat (inside,outside) source static IPv6_HOST interface service ssh ssh
nat (inside,outside) source static INTERNAL interface destination static EXTERNAL EXTERNAL service apcupsd apcupsd
nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
nat (inside,outside) source dynamic inside interface destination static EXTERNAL EXTERNAL
nat (inside,outside) source dynamic any interface
It is a bit complicated though since the EXTERNAL host get it's address via DHCP and so does the ASA.

RV042 Site-to-Stie VPN with NAT on one side

I set up a site-to-site VPN using two RV042s some time ago. One was behind a NATting router. The other was the internet interface itself.
Somewhere I had found a paper describing how to do this. It said that only ONE of them could be behind another NATting router. So, that's how this was set up. I sure wish I could find that paper again!!! Any suggestions?
Now I have to do the same thing again but can't get it working. It looks like this:
RV042 VPN public address <> cable modem <> internet <> RV042 "firewall" with IPSEC passthrough enabled <> interim subnet LAN <> RV042 VPN <> LAN
I'm getting log messages and on the remote site log (the left side of the above) like:
initial Aggressive Mode packet claiming to be from [xxx.xxx.xxx.xxx] on [same] but no connection has been authorized
and
No suitable connection for peer '10.98.76.2', Please check Phase 1 ID value
(where 10.98.76.2 is the IP address of the RV042 WAN port on the interim subnet)
I have them both in Aggressive mode as eventually I'll be using a dyndns url. But, for now, I'm using the actual IP addresses so that should not be an issue one way or the other..

make sure the configuration u do on both the side should be same....and secondly exempt the NAT rules then only it will work.

Setting up IPsec VPNs to use with Cisco Anyconnect

So I've been having trouble setting up vpns on our ASA 5510. I would like to use IPsec VPNs so that we don't have to worry about licensing issues, but from what I've read you can do this with and still use Cisco Anyconnect. My knowledge on how to set up VPNs especially in iOS verion 8.4 is limited so I've been using a combination of command line and ASDM.
I'm finally able to connect from a remote location but once I connect, nothing else works. From what I've read, you can use IPsec for client-to-lan connections. I've been using a preshared key for this. Documentation is limited on what should happen after you connect? Shouldn't I be able to access computers that are local to the vpn connection? I'm trying to set this up from work. If I VPN from home, shouldn't I be able to access all resources at work? I think because I've used the command line as well as ASDM I've confused some of the configuration. Plus I think some of the default policies are confusing me too. So I probably need a lot of help. Below is my current configuration with IP address altered and stuff that is completely non-related to vpns removed.
NOTE: We are still testing this ASA and it isn't in production.
Any help you can give me is much appreciated.
ASA Version 8.4(2)
hostname ASA
domain-name domain.com
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/1
nameif outside
security-level 0
ip address 50.1.1.225 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
no nameif
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa842-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
same-security-traffic permit intra-interface
object network NETWORK_OBJ_192.168.0.224_27
subnet 192.168.0.224 255.255.255.224
object-group service VPN
service-object esp
service-object tcp destination eq ssh
service-object tcp destination eq https
service-object udp destination eq 443
service-object udp destination eq isakmp
access-list ips extended permit ip any any
ip local pool VPNPool 192.168.0.225-192.168.0.250 mask 255.255.255.0
no failover
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.224_27 NETWORK_OBJ_192.168.0.224_27 no-proxy-arp route-lookup
object network LAN
nat (inside,outside) dynamic interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.1.1.250 1
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASA
crl configure
crypto ca server
shutdown
crypto ca certificate chain ASDM_TrustPoint0
certificate d2c18c4e
    308201f3 3082015c a0030201 020204d2 c18c4e30 0d06092a 864886f7 0d010105
    0500303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
    f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
    6f6d301e 170d3131 31303036 31393133 31365a17 0d323131 30303331 39313331
    365a303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
    f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
    6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b2
    8acbe1f4 5aa19dc5 d3379bf0 f0e1177d 79b2b7cf cc6b4623 d1d97d4c 53c9643b
    37f32caf b13b5205 d24457f2 b5d674cb 399f86d0 e6c3335f 031d54f4 d6ca246c
    234b32b2 b3ad2bf6 e3f824c0 95bada06 f5173ad2 329c28f8 20daaccf 04c51782
    3ca319d0 d5d415ca 36a9eaff f9a7cf9c f7d5e6cc 5f7a3412 98e71de8 37150f02
    03010001 300d0609 2a864886 f70d0101 05050003 8181009d d2d4228d 381112a1
    cfd05ec1 0f51a828 0748172e 3ff7b480 26c197f5 fd07dd49 01cd9db6 9152c4dc
    18d0f452 50f5d0f5 4a8279c4 4c1505f9 f5e691cc 59173dd1 7b86de4f 4e804ac6
    beb342d1 f2db1d1f 878bb086 981536cf f4094dbf 36c5371f e1a0db0a 75685bef
    af72e31f a1c4a892 d0acc618 888b53d1 9b888669 70e398
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 10
console timeout 0
management-access inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect profiles VPN disk0:/devpn.xml
anyconnect enable
tunnel-group-list enable
group-policy VPN internal
group-policy VPN attributes
wins-server value 50.1.1.17 50.1.1.18
dns-server value 50.1.1.17 50.1.1.18
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value digitalextremes.com
webvpn
anyconnect profiles value VPN type user
always-on-vpn profile-setting
username administrator password xxxxxxxxx encrypted privilege 15
username VPN1 password xxxxxxxxx encrypted
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool (inside) VPNPool
address-pool VPNPool
authorization-server-group LOCAL
default-group-policy VPN
tunnel-group VPN webvpn-attributes
group-alias VPN enable
tunnel-group VPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
class-map ips
match access-list ips
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
class ips
ips inline fail-open
class class-default
user-statistics accounting

Hi Marvin, thanks for the quick reply.
It appears that we don't have Anyconnect Essentials.
Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
This platform has an ASA 5510 Security Plus license.
So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license?

IPsec Site-to-Site with RSA sign stuck on MM_KEY_EXCH

I am currently studying for CCNA Security, and i would like to be able to configure a Site-to-Site VPN with RSA sig with a windows server 2012 acting as AD and CA. I already have enable scep on windows server 2012 and disable the enrollement challenge password.
Since two days, i am completly stuck on MM_KEY_EXCH error.
Here is my lab:
http://i59.tinypic.com/2502h76.png
I have 3 router 3600 ios 12.4(16) - C3640-JK9S-M.
On the left is my Active Directory/CA with a static nat from 192.168.2.254 to 1.1.1.3, so it can be joined from outside by R2.
On the right, just an outside client.
I am trying to authenticate R1 and R2 with RSA sign from my AD/CA.
I have already tried NAT-T...
The clock on both routers is matching the clock of AD/CA
Some configuration:
R1 (1.1.1.2)
ip domain name cisco.ca
crypto pki trustpoint cisco-WIN-2EV0KQDK78U-CA
enrollment mode ra
enrollment url http://192.168.2.254:80/certsrv/mscep/mscep.dll
fqdn R1.cisco.ca
subject-name cn=R1.cisco.ca
revocation-check none
crypto isakmp policy 1
encr aes 256
hash md5
group 5
lifetime 3600
crypto ipsec transform-set SET esp-aes 256 esp-sha-hmac
crypto map MYMAP 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set SET
set pfs group2
match address VPN
R1#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 640000001B0C9BE947CCC8FB2B00000000001B
Certificate Usage: General Purpose
Issuer:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Subject:
Name: R1.cisco.ca
cn=R1.cisco.ca
hostname=R1.cisco.ca
CRL Distribution Points:
ldap:///CN=cisco-WIN-2EV0KQDK78U-CA-2,CN=WIN-2EV0KQDK78U,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN= Configuration,DC=cisco,DC=ca?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 21:15:11 UTC Oct 26 2014
end date: 21:15:11 UTC Oct 25 2016
Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
CA Certificate
Status: Available
Certificate Serial Number: 69B4A894E00EC58A47DA9812076DEF2D
Certificate Usage: Signature
Issuer:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Subject:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Validity Date:
start date: 00:27:45 UTC Oct 26 2014
end date: 00:37:45 UTC Oct 26 2019
Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
R2 (2.2.2.2)
ip domain name cisco.ca
crypto pki trustpoint cisco-WIN-2EV0KQDK78U-CA
enrollment mode ra
enrollment url http://1.1.1.3:80/certsrv/mscep/mscep.dll
fqdn R2.cisco.ca
subject-name cn=R2.cisco.ca
revocation-check none
crypto isakmp policy 1
encr aes 256
hash md5
group 5
lifetime 3600
crypto ipsec transform-set SET esp-aes 256 esp-sha-hmac
crypto map MYMAP 1 ipsec-isakmp
set peer 1.1.1.2
set transform-set SET
set pfs group2
match address VPN
R2(config)#end
R2#sh c
Oct 26 19:27:28.007: %SYS-5-CONFIG_I: Configured from console by consoler
R2#sh cryp
R2#sh crypto pk
R2#sh crypto pki cer
R2#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 640000001CDFE423EBA20E45EE00000000001C
Certificate Usage: General Purpose
Issuer:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Subject:
Name: R2.cisco.ca
cn=R2.cisco.ca
hostname=R2.cisco.ca
CRL Distribution Points:
ldap:///CN=cisco-WIN-2EV0KQDK78U-CA-2,CN=WIN-2EV0KQDK78U,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN= Configuration,DC=cisco,DC=ca?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 21:18:03 UTC Oct 26 2014
end date: 21:18:03 UTC Oct 25 2016
Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
CA Certificate
Status: Available
Certificate Serial Number: 69B4A894E00EC58A47DA9812076DEF2D
Certificate Usage: Signature
Issuer:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Subject:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Validity Date:
start date: 00:27:45 UTC Oct 26 2014
end date: 00:37:45 UTC Oct 26 2019
Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
Here are some error that i get:
Oct 26 18:29:50.219: ISAKMP:(0:2:SW:1): processing CERT payload. message ID = 0
Oct 26 18:29:50.223: ISAKMP:(0:2:SW:1): processing a CT_X509_SIGNATURE cert
Oct 26 18:29:50.223: ISAKMP:(0:2:SW:1): peer's pubkey isn't cached
Oct 26 18:29:50.255: ISAKMP:(0:2:SW:1): Unable to get DN from certificate!
Oct 26 18:29:50.255: ISAKMP:(0:2:SW:1): Cert presented by peer contains no OU field.
Oct 26 18:29:50.271: ISAKMP:(0:2:SW:1): processing SIG payload. message ID = 0
Oct 26 18:29:50.271: ISAKMP (134217730): sa->peer.name = , sa->peer_id.id.id_fqdn.fqdn = R2.cisco.ca
Oct 26 18:29:50.271: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
Oct 26 18:29:50.271: ISAKMP (0:134217730): process_rsa_sig: Querying key pair failed.
Oct 26 18:29:50.271: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 26 18:29:50.271: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
Oct 26 18:35:22.175: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed. The certificate (SN: 640000001CDFE423EBA20E45EE00000000001C) is not yet valid   Validity period starts on 21:18:03 UTC Oct 26 2014
Output of show crypto isakmp sa:
R1#sh crypto isakmp sa
dst             src             state          conn-id slot status
1.1.1.2         2.2.2.2         MM_KEY_EXCH         42    0 ACTIVE
1.1.1.2         2.2.2.2         MM_KEY_EXCH         41    0 ACTIVE
1.1.1.2         2.2.2.2         MM_NO_STATE         40    0 ACTIVE (deleted)
1.1.1.2         2.2.2.2         MM_NO_STATE         39    0 ACTIVE (deleted)
I would appreciate if someone can help me on this.
Thanks

Sorry, Config attached here.

Configuring PFR with NAT - Dual ISP

Hi,
We are configuring the pfr feature in a router, this router has two connections to Internet, different providers. I have the following question:
Is possible to configure two pool for NAT translations? one pool by each internet provider?
I attach the diagram.

Thanks Julio.
I have a second question.
I was able publish an internal server with the PFR function activated with two different ISP and using static nat for incoming connections without problem, however when I try to publish a IPSEC VPN server I can not publish the ESP protocol with two different public addresses. The IOS only permit the publication of the ESP protocol using only one public address. How I can publish the ESP protocol using two public addresses at the same time (ISPA-ISPB)?
Regards.

FlexVPN over MPLS with NAT

HI There,
I was wondering if an expert on FlexVPN would be able to comment on this..
I am looking to use FlexVPN hub and spoke deployment using the FLEXoMPLS feature... So I will have hub routers connected to remote routers via IPSec/GRE tunnels. This enables VRFs at hub and spokes to be joined via MPLS point-to-point link.
Can someone please confirm if it would be possible to NAT at the remote site with the VRF interface being on the inside and the IPSec/GRE tunnel in the global VRF on the outside??
Thanks in advance.
Lee.

Well thanks for all the help but I am not going to be able to use this method, I am not going to be able to connect a cable at all the sites, I don't know If I can just wire an RJ-45 as a loopback plug maybe but still not a good method. Also when I reconfigure my linux box with both the networks it does not add the second network and I loose ASDM, I guess I shouldnt have changed the management interface. Is there any other method, what I was wondering does it send the syslog with the asa outside interface IP to the remote syslog IP, if so can or would a NAT static with the orig. working on the outside with the asa IP and the dest of the syslog translating to a single IP on the VPN network back on the outside interface... seems like a simple thing to ask to do, I kind of understand what is going on but seems there needs to be a check box to say this syslog server is over a vpn and it takes care of all the magic.

IPsec ASA5510 to ASA5505 with NAT

Similar Messages

Maybe you are looking for