Ipsec together with outside NAT
Hi,
I have small office that is connected to the main office over a ipsec tunnel.
On the main office lan I have a server that only accept traffic from the main office inside lan.
Therefor I need to NAT incoming traffic from the ipsec tunnel with a new source address (a address from main office inside).
The ipsec tunnel is up and working.
How should the NAT look like?
I have tried with the "ip nat outside source "command, but it did not work completely (the traffic was NATed but when the response come the traffic was not sent back in to the tunnel.
Regards Niklas
You have to do NAT both ways and make sure that the config for ipsec tunnel is proper to allow the reply traffic to be sent via the tunnel. Following link may help you
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html
Similar Messages
-
IPSEC tunnel with NAT and NetMeeting
I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
Thanks,The following doc should help...
http://www.cisco.com/warp/public/707/ipsecnat.html -
Cisco ASA 5505 IPSEC, one endpoint behind NAT device
We have two Cisco ASA 5505 devices.
Both are identical, however, one of them is behind a NAT device.
We are attempting to create an IPSEC network.
Site fg:
<ipsec subnet1> -- ASA 5505 (ASA1) -- <internet>
ASA1: 10.1.1.2/24 (inside), 212.xxx.xxx.xxx/28 (outside)
Site be:
<ipsec_subnet2> -- ASA 5505 (ASA3) -- Zywall USG (USG1) -- <internet>
ASA3: 10.1.4.1/24 (inside), 192.168.4.50/24 (outside)
USG1: 192.168.4.100/24 (inside), 195.xxx.xxx.xxx/30 (outside)
USG1: UDP port 500/4500 forwarded to 192.168.4.50
It seems that ASA1 stops the procedure (we verified this with debug crypto isakmp 254):
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, QM FSM error (P2 struct &0xd1111cd8, mess id 0x81111a78)!
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.4.50/255.255.255.255/0/0 local proxy 212.xxx.xxx.xxx/255.255.255.255/0/0 on interface outside
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, PHASE 1 COMPLETED
We verified / attempted the following:
- NAT excemption on both sides for IPSEC subnets
- Mirror image crypto maps
- Disabled IKE peer ID validation (yes, pre-shared key but we ran out of ideas)
- Toggled between static to dynamic crypto maps on ASA1
Most search results turned up results referring to the incorrect settings of the crypto map or the lack of NAT excemption.
Does anyone have any idea?
195.txt contains show running-config of ASA3
212.txt contains show running-config of ASA1
log.txt contains somewhat entire log snipper of ASA1Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji. -
Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
The following is the Layout:
There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
I have been able to configure Client to Site IPSec VPN
1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
But I have not been able to make tradiotional Hairpinng model work in this scenario.
I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
running-conf --- Working normal Client to Site VPN without internet access/split tunnel
ASA Version 8.2(1)
hostname ciscoasa
domain-name cisco.campus.com
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
interface GigabitEthernet0/0
nameif internet1-outside
security-level 0
ip address 1.1.1.1 255.255.255.240
interface GigabitEthernet0/1
nameif internet2-outside
security-level 0
ip address 2.2.2.2 255.255.255.224
interface GigabitEthernet0/2
nameif dmz-interface
security-level 0
ip address 10.0.1.1 255.255.255.0
interface GigabitEthernet0/3
nameif campus-lan
security-level 0
ip address 172.16.0.1 255.255.0.0
interface Management0/0
nameif CSC-MGMT
security-level 100
ip address 10.0.0.4 255.255.255.0
boot system disk0:/asa821-k8.bin
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.campus.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network cmps-lan
object-group network csc-ip
object-group network www-inside
object-group network www-outside
object-group service tcp-80
object-group service udp-53
object-group service https
object-group service pop3
object-group service smtp
object-group service tcp80
object-group service http-s
object-group service pop3-110
object-group service smtp25
object-group service udp53
object-group service ssh
object-group service tcp-port
object-group service udp-port
object-group service ftp
object-group service ftp-data
object-group network csc1-ip
object-group service all-tcp-udp
access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
access-list CSC-OUT extended permit ip host 10.0.0.5 any
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
access-list CAMPUS-LAN extended permit ip any any
access-list csc-acl remark scan web and mail traffic
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl remark scan web and mail traffic
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
access-list INTERNET2-IN extended permit ip any host 1.1.1.2
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list DNS-inspect extended permit tcp any any eq domain
access-list DNS-inspect extended permit udp any any eq domain
access-list capin extended permit ip host 172.16.1.234 any
access-list capin extended permit ip host 172.16.1.52 any
access-list capin extended permit ip any host 172.16.1.52
access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
access-list capout extended permit ip host 2.2.2.2 any
access-list capout extended permit ip any host 2.2.2.2
access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu internet1-outside 1500
mtu internet2-outside 1500
mtu dmz-interface 1500
mtu campus-lan 1500
mtu CSC-MGMT 1500
ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
ip verify reverse-path interface internet2-outside
ip verify reverse-path interface dmz-interface
ip verify reverse-path interface campus-lan
ip verify reverse-path interface CSC-MGMT
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (internet1-outside) 1 interface
global (internet2-outside) 1 interface
nat (campus-lan) 0 access-list campus-lan_nat0_outbound
nat (campus-lan) 1 0.0.0.0 0.0.0.0
nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
access-group INTERNET2-IN in interface internet1-outside
access-group INTERNET1-IN in interface internet2-outside
access-group CAMPUS-LAN in interface campus-lan
access-group CSC-OUT in interface CSC-MGMT
route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.2 255.255.255.255 CSC-MGMT
http 10.0.0.8 255.255.255.255 CSC-MGMT
http 1.2.2.2 255.255.255.255 internet2-outside
http 1.2.2.2 255.255.255.255 internet1-outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet2-outside_map interface internet2-outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as
quit
crypto isakmp enable internet2-outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 10.0.0.2 255.255.255.255 CSC-MGMT
telnet 10.0.0.8 255.255.255.255 CSC-MGMT
telnet timeout 5
ssh 1.2.3.3 255.255.255.240 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet2-outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_TG_1 internal
group-policy VPN_TG_1 attributes
vpn-tunnel-protocol IPSec
username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
username administrator password xxxxxxxxxxxxxx encrypted privilege 15
username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
username vpnuser1 attributes
vpn-group-policy VPN_TG_1
tunnel-group VPN_TG_1 type remote-access
tunnel-group VPN_TG_1 general-attributes
address-pool vpnpool1
default-group-policy VPN_TG_1
tunnel-group VPN_TG_1 ipsec-attributes
pre-shared-key *
class-map cmap-DNS
match access-list DNS-inspect
class-map csc-class
match access-list csc-acl
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class csc-class
csc fail-open
class cmap-DNS
inspect dns preset_dns_map
service-policy global_policy global
prompt hostname context
Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
: end
Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
Thanks & Regards
maxsHi Jouni,
Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
But my problem is not solved fully here.
Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
Here the packet tracer output for the traffic:
packet-tracer output
asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.255.0.0 campus-lan
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.150.1 255.255.255.255 internet2-outside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internnet1-in in interface internet2-outside
access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (internet2-outside) 1 192.168.150.0 255.255.255.0
match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
dynamic translation to pool 1 (No matching global)
translate_hits = 14, untranslate_hits = 0
Additional Information:
Result:
input-interface: internet2-outside
input-status: up
input-line-status: up
output-interface: internet2-outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
dynamic nat
asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
Is it possible to access both
1)LAN behind ASA
2)INTERNET via HAIRPINNING
simultaneously via a single tunnel-group?
If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
Thanks & Regards
Abhijit -
ASA 5505 - Cannot ping outside natted interface
Hello,
I have a Cisco ASA 5505, the problem is I am not able to ping to outside natted interface (ip: 172.88.188.123 and 124 and 125) from inside network
Could someone help me to resolve this? I have looked for ASA documentation through the internet and still got nothing.
Thank you in advance
the config are:
: Saved
ASA Version 8.2(1)
hostname ciscoasa
domain-name domain
enable password ********** encrypted
passwd ************ encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 172.88.188.122 255.255.255.248
interface Vlan3
no forward interface Vlan2
nameif backup
security-level 0
no ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name domain
same-security-traffic permit intra-interface
access-list outside_in extended permit tcp any host 172.88.188.123 eq smtp
access-list outside_in extended permit tcp any host 172.88.188.123 eq pop3
access-list outside_in extended permit tcp any host 172.88.188.123 eq www
access-list outside_in extended permit icmp any any
access-list outside_in extended permit icmp any any echo-reply
access-list inside_out extended permit tcp 192.168.1.0 255.255.255.0 any
access-list inside_out extended permit udp 192.168.1.0 255.255.255.0 any
access-list inside_out extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 172.88.188.128
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255
static (inside,outside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255
static (inside,outside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 172.88.188.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 1048575
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:865943aa325eb75812628fec3b1e7249
: endYou are looking for this. 2 options, dns doctoring, or hairpinning (2nd part of document.) Post back if you need help setting it up.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
Hairpinning would look like this in your scenario.
same-security-traffic permit intra-interface
global (inside) 1 interface
static (inside,inside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255
static (inside,inside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255
static (inside,inside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255 -
ASA IPsec Remote Access VPN | NAT Question
We have a situation where a company that needs remote VPN access to our network is having an IP conflict with our subnet. I know this is a common issue and can often be resolved on the client side by changing the metirc on the network interface, but I am looking for a better solution on our end so I do not have to suggest workarounds.
Part of the problem is likely that our subnet is "too big", but I'm not going to be changing that now.
We are using 10.0.0.0/24 and the remote is using 10.0.11.0/24 and 10.1.0.0./16
I played around with some NAT rules and feel that I am missing something I am looking for suggestions, please.
Thank you.Hi,
This depends on your ASA firewalls software version and partly on its current NAT configurations.
I presume the following
Interfaces "inside" and "outside"
VPN Pool network of 10.10.100.0/24 (or some 192/172 network)
Software 8.2 and below
access-list VPN-POLICYNAT remark Static Policy NAT for VPN Client
access-list VPN-POLICYNAT permit ip 10.0.0.0 255.255.255.0 10.10.100.0 255.255.255.0
static (inside,outside) 192.168.10.0 access-list VPN-POLICYNAT
Key things to keep in mind with this software level is that if any of our internal hosts on the network 10.0.0.0/24 also have a "static" configuration that binds their local IP address to a public IP address then you might have to insert the above configuration and then remove the original "static" command and enter it back again.
This will change the order or the "static" commands so that the original "static" command wont override this new configuration as they are processed in order they are inserted to the configuration. The remove/add part is just to change their order in the configuration
Software 8.3 and above
object network LAN
subnet 10.0.0.0 255.255.255.0
object network LAN-VPN
subnet 192.168.10.0 255.255.255.0
object-group network VPN-POOL
subnet 10.10.100.0 255.255.255.0
nat (inside,outside) 1 source static LAN LAN-VPN destination static VPN-POOL VPN-POOL
In the above configuration we do the same as in the older software versions configuration but we have the number "1" in the "nat" configuration which places it at the very top of your NAT configurations and therefore it applies. No need to remove any existing configuration and enter them again like in the old software
In addition to the above NAT configuration you naturally have to make sure that the traffic to the NATed LAN network goes to the VPN. So if using Split Tunnel the NAT network needs to be added to the VPN ACL. If using Full Tunnel then naturally everything should already be coming through the VPN. I imagine though that you are using Split Tunnel, or?
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni -
Need to run two Xbox 360's on a WRT160N V2 both with open NAT.
This must be possible...somehow.
I've tried a few times through the linksys support chat (which seems to be gone now?) to get this working properly but always fails. I've got my http://192.168.1.1/ open, so please if anyone knows how this works that'd be just awesome.
Both 360's are connected via wire. We want to be able to play the same games at the same time in the same party while both having an open NAT. Right now only one of us can have an open NAT while the other has a Moderate or Strict. We have plenty of speed, but that stupid NAT makes it nearly impossible for us to connect to games together. Then even when we DO connect to a server/lobby it takes forever for that lobby to fill up with other players as they can't connect to US. Painfully annoying.
I DID do a search of this very forum and found a thread or two, but they are very long and I am having a hard time filtering what is correct or not. Too many people saying different things with no reponses as to whether or not their solution worked. I'm still reading through them, I'm not a technician in any sense and don't want to mess it up more than it already seems to be. I am capable of reading/following instructions, so if anyone knows I'll give you all my "One Free Internet" coupons.You can try this link and it will help you in setting up your XBOX with your Router. And for your 2nd XBOX Enable DMZ and assign a Static IP to your XBOX.
-
Help with multiple nat translation on a Cisco Nexus 3548
Hi All,
I need a little help with a NAT configuration on a cisco Nexus 3548 version 6.0(2)A4(3).
What currently have is as follows:
internal network: 192.168.4.0/24
nexus router (routerA):
LAN Side: vlan104 interface 192.168.4.201/24
WAN Side: Eth1/48 interface 172.24.101.2/24
remote network: 159.43.48.32/27
remote gateway: 172.24.101.1/24
use ACL's to ensure that only specific traffic is allowed out and in.
allow a specific connection from a different internal network (192.168.3.0/24) to talk to port 159.43.48.34:1025
Clients on the internal network 192.168.4.0, need to be able to connect to services (port 14002, port 8101) running on 159.43.48.34, but they must be SNAT'ed through the WAN interface as coming from 159.43.65.81
Currently we have this working but the internal lan clients need to know how to get to 159.43.48.34/27 and therefore we need to route this network in our internal network.
What we really want is to do is provide an address such as 192.168.4.203 for internal clients to use for connectivity to the various services, and then this address would be SNAT'ed to 159.43.65.81 over the WAN. We still want to secure the traffic in both directions.
In the past i've been able to do this with inside and outside nat's and i haven't had to configure an interface on the router for the internal address, it has just been "stood up" by the nat rules. For example (this is how i've done it before):
LAN interface
ip nat outside
WAN interface
ip nat inside
ip nat inside source static159.43.65.81 192.168.4.203
ip nat outside source static 159.43.65.81 192.168.4.203
but, trying to implement this sort of config on the Nexus isn't working.
I am wondering if the Nexus behaves differently than ios based routers.
I'd appreciate any help to get this config working.
Thanks in advance,
LesLes
The issue with an "ip nat outside ..." static is that from the inside routing is done before NAT.
So what happens is that the destination IP is 192.168.4.203 and the Nexus will do a route lookup, see it is directly connected so it won't forward the packet to the outside interface so it doesn't get translated.
If you enter "ip nat outside source static 159.43.48.34 192.168.4.203" then on IOS it adds a host specific route to the routing table for 192.168.4.203 as directly connected.
So you do a ping from a 192.168.3.x client it looks like it is working but actually the L3 device is simply responding and the packet never gets to the server.
Apologies for the long winded explanation but NXOS might behave differently and I wanted you to know what to look for.
So with IOS there is the "add-route" option at the end of the NAT statement and if you use this it would add a host specific route into the routing table like this -
192.168.4.203 255.255.255.255 159.43.48.34
this is a recursive route ie. the device must know how to get to 159.43.48.34 but your Nexus should.
What the above does is make sure any packets arriving at the Nexus for 192.168.4.203 get routed to the outside interface and so are translated.
So firstly see if that option is available with your NAT statement ie.
"ip nat outside source static 159.43.48.34 192.168.4.203 add-route"
if it isn't then try adding just the static statement without it and then have a look at the routing table. If it hasn't put in a host specific route showing as directly connected which it may not, as it may behave differently, then you can manually add a route ie.
192.168.4.203 255.255.255.255 <next hop IP>
note that the next hop IP doesn't have to be the server here it could just be the next hop from the Nexus switch. All you are trying to do is get the packet routed to the outside interface.
Hope that makes sense.
Edit - one thing I haven't tried is to use a different IP subnet for NAT ie. one that is still part of your internal range but unused and then having a route on the Nexus, in your case, pointing to the outside interface and you redistribute this subnet into your IGP. Then you add the NAT statement.
What may happen is it still adds a host specific route showing as directly connected but it may not because the Nexus wouldn't actually have a directly connected interface for that subnet.
I suspect it would though.
If it did work then it would still mean you didn't need to advertise the public IP internally.
If I get the chance I'll test it later today.
Jon -
IPsec tunnel with two RV180W in LAN
Hi all,
I've to set up a couple of RV180W devices to connect several branch offices with IPsec tunnels with one back office.
Because I'm new to Cisco devices, my intention is to set up two RV180W devices in our LAN that way, that they establish an IPsec tunnel. Both of them have an IP address in the net 192.168.179.x and each RV180W has it's own IP net (192.168.10.x and 192.168.11.x). The idea is to have a PC in each of the networks of the RV180Ws and several outside to check by the PCs' visibility/connectivity whether the VPN is working or not. Later on I've to change the network addresses but I'll know that the IPsec settings are working.
I've used the 'Basic VPN Setup' on both devices to configure the tunnel, but it won't be established, its status remains on 'IPsec SA Not Established'.
Am I completely wrong with my approach? Or am I blind and oversee something essential within the configuration?
Here the configurations of both devices:
device 1:
device 2:
Thanks in advance for your ideas and help.
Best regards, LarsI'm trying to connect an RV180W to my RV082 and I get IPSec SA Not Established. I've checked my settings numerous times and they are the same on both routers (aside from different gateway ip and lan subnet)
-
TNS Return inside NAT IP address and not outside NAT
When trying to connect from outside of our network using the tnsnames.ora file under $ORACLE_HOME/network/admin, TNS protocol returns the inside NAT and not the outside NAT ( Network adress translation ) , causing the session to time out ( TNS no listener ), since the transaction is addressed to the inside interface and not the outside.
NAT is done at the router level , CISCO 6509.
Is there any solution for htis problem. When using HTTP protocol at the application level, this does not seem to happenSambacho,
Did you ever resolve this issue or did anyone provide you with a potential solutions.
Sincerely,
--Jim -
Hi guys i am a bit confused, please help me ..
RTR2----(Outside)ASA(Inside)----Rtr1
the outside n/w range is 192.168.1.0/24 with Rtr2 having .2 and ASA having .1
the inside n/w range is 192.168.2.0 with asa having .1 and Rtr1 hving .2
now i want to perform dynamic outside nat for Rtr2.
nat (outside) 1 192.168.1.0 255.255.255.0
global (inside) 1 interface
or
nat (outside) 1 192.168.1.0 255.255.255.0 outside
global (inside) 1 interface
i knw that outside keyword is used for outside nat , and when i try to configure
nat command on outside intf, it gives me a warning also..but it takes the command.
my doubt is why outside nat doesnt works with outside keyword.I hope you guys got my doubt..Hi matti . i have the following setup
host---(inside)Pix(Outside)---Rtr
host ip address 10.0.0.10
Pix Inside 10.0.0.1
Pix Outside 172.31.0.1
Rtr IP add:172.31.0.2(Rtr having a deault route to pix)
i tried to configure outside nat, but its not working.
hostname Firewall
enable password xxx encrypted
names
interface Ethernet0
speed 100
nameif outside
security-level 0
ip address 172.31.0.1 255.255.255.0
interface Ethernet1
speed 100
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
passwd xxx
ftp mode passive
access-list outside extended permit ip any any
pager lines 24
logging enable
icmp unreachable rate-limit 1 burst-size 1
nat-control
global (inside) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0 outside
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside in interface outside
telnet timeout 5
ssh timeout 5
console timeout 0
i see the following messages
%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2253 to in
side:10.0.0.1/30
%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in
side:Insrv (type 8, code 0)
%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2254 to in
side:10.0.0.1/31
%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in
side:Insrv (type 8, code 0)
%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2255 to in
side:10.0.0.1/32
%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in
side:Insrv (type 8, code 0)
%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2256 to in
side:10.0.0.1/33
%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in
side:Insrv (type 8, code 0)
%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2257 to in
side:10.0.0.1/34
%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in
side:Insrv (type 8, code 0)
show xlate output
PAT Global 10.0.0.1(36) Local 172.31.0.2 ICMP id 5850
PAT Global 10.0.0.1(35) Local 172.31.0.2 ICMP id 5849 -
Cisco asa traffic flow with destination nat
Hi Folks,
Can anybody comment on the below.
1. in source natting (inside users accessing internet), first the NAT will happen then the routing will happen. I agree with this..
2. in destination natting (outside users accessing inside server on public ip), what will happen first, NATTING or Routing. I am looking forward to hear an explanation.
regards
RajeshThe ASA will always apply NAT based on the order of the NAT table (which is directly derived from the running configuration), which can be viewed with 'show nat detail'. It takes the packet and walks down the table in order of the entries programmed into the table, looking for the first rule that has a matching interface(s) and matching IP subnets/ports that apply to the packet in question; at that point the NAT translation is applied and further processing stops.
The NAT phase that you show highlighted reflects the stage where the packet's IP headers in an existing connection are re-written by NAT; it is not the exact phase where the egress interface selection is overridden by the translation table.
That order of operations slide is really quite simplified, and intentionally missing some steps because I just don't have time to go over the nuances of NAT during the general troubleshooting presentation that the picture was pulled from. On the next slide titled "Egress Interface", I do explain that NAT can override the global routing table for egress interface selection. This order of operations is somewhat "rough", and there are corner cases that can make the order of operations confusing.
The confusion here probably stems from the doubt about which comes first when selecting egress interfaces, routing or NAT. Hopefully with my explanation below, you'll have the missing pieces needed to fully explain why you see the seemingly inconsistent behavior. Please let me know what is unclear or contradictory about my explanation and I'll try and clear it up. I would also appreciate your suggestions on how to simply and clearly show these steps on a slide, so that I can improve how we deliver this information to our customers. Anyway, on to the explanation...
The short answer:
The NAT divert check (which is what overrides the routing table) is checking to see if there is any NAT rule that specifies destination address translation for an inbound packet arriving on an interface.
If there is no rule that explicitly specifies how to translate that packet's destination IP address, then the global routing table is consulted to determine the egress interface.
If there is a rule that explicitly specifies how to translate the packets destination IP address, then the NAT rule "pulls" the packet to the other interface in the translation and the global routing table is effectively bypassed.
The longer answer:
For the moment, ignore the diagram above. For the first packet in the flow arriving inbound on an ASA's interface (TCP SYN packet for example):
Step 1: un-translate the packet for the Security check: Check the packet's headers for matching NAT rules in the NAT table. If the rules apply to the packet, virtually un-NAT the packet so we can check it against the access policies of the ASA (ACL check).
Step 1.A: ACL Check: Check the un-translated packet against the interface ACL, if permitted proceed to step 2
Step 2: Check NAT-divert table for global routing table override: In this step the ASA checks the packet and determines if either of the following statements are true:
Step 2 check A: Did the packet arrive inbound on an interface that is specified as the global (aka mapped) interface in a NAT translation (this is most common when a packet arrives inbound on the outside interface and matches a mapped ip address or range, and is forwarded to an inside interface)?
-or-
Step 2 check B: Did the packet arrive inbound on an interface that is specified as the local (real) interface in a NAT translation that also has destination IP translation explicitly specified (this is seen in your first example, the case with your NAT exempt configuration for traffic from LAN to WAN bypassing translation)?
If either of these checks returns true, then the packet is virtually forwarded to the other interface specified in the matching NAT translation line, bypassing the global routing table egress interface lookup; Then, a subsequent interface-specific route lookup is done to determine the next-hop address to forward the packet to.
Put another way, Step 2 check B checks to see if the packet matches an entry in the NAT divert-table. If it does, then the global routing table is bypassed, and the packet is virtually forwarded to the other (local) interface specified in the nat translation. You can actually see the nat divert-table contents with the command 'show nat divert-table', but don't bother too much with it as it isn't very consumable and might be mis-leading.
Now lets refer to the specific example you outlined in your post; you said:
route ISP-1 0.0.0.0 0.0.0.0 1.1.1.1 1
route ISP-2 0.0.0.0 0.0.0.0 2.2.2.1 254
nat (LAN,ISP-1) after-auto source dynamic any interface
nat (LAN,ISP-2) after-auto source dynamic any interface
Now lets say that there is a connection coming from behind LAN interface with the source IP address 10.10.10.10 destined for 8.8.8.8 on destination port TCP/80. The flow chart would seem to indicate (with the above information/configuration in mind) that a NAT would be done before L3 Route Lookup?
The packet you describe will not match any nat-divert entries, and the egress interface selection will be performed based on the L3 routing table, which you have tested and confirmed. This is because the packet does not match Step 2 checks A or B.
It doesn't match Step 2 Check A because the packet did not arrive inbound on the mapped (aka global) interfaces ISP-1 or ISP-2 from the NAT config lines. It arrived inbound on the local (aka real) interface LAN.
It doesn't match Step 2 Check B because these NAT rules don't have destination IP address translation explicitly configured (unlike your LAN to WAN example)...therefore the ASA won't match a divert-table entry for the packet (actually you'll see a rule in the divert table, but it will have ignore=yes, so it is skipped).
Message was edited by: Jay Johnston -
Tieing 2 key systems together with fxo/fxs and 1760 routers
Hello,
I need some programming help from someone good on voice. I've got two offices that I'm trying to tie the phone systems together with 2x Cisco 1760 routers each with 2x PVDM-256K-4 1 DSP Modules. I've got the layout below and am basically looking to do two things.
First, I would like ext. 210 from the first site to dial a co group â1â or directly access a âCO lineâ that is connected to the Cisco and get dial tone to be able to dial the directory number for a âCO lineâ with the same setup at the second site and have it able to be answered like a normal call and be transferred.
The second connection I would like is to have ext. 210 be able to dial locally to one of site 1's analog single line extensions and have the Ciscos make a connection through to site 2 and go off-hook on one of the analog single line extensions of site 2 in order to get a site 2 dial tone and be able to dial locally @ site 2 to any extension, or dial one of site 2's co groups or directory number for one of site 2's real CO lines and place a âlocalâ call to the outside world from site 2's lines.
Obviously this process would all be reversed for site 2 accessing site 1. I've come across a couple of documents, like ID: 15405, and a section of a VoIP Configuration guide labeled OL-1070-01 and have some command structure available, but the concept of how it all takes place and should be configured is a little fuzzy.
Thank you,
MarkOK, let me simplify things. I think I'm putting way too much thought into it all. I've got site A and site B. Site A (currently for testing) has a single line extension from Site A's key system plugged into port 0 in fxo card in slot 2. Site A will have a patch from port 0 in fxs card in slot 3 to a CO line on the key system. Site B has the same setup. Both have fa 0/0 configured with IP addresses on the same network (just to simulate the connections - later I will actually move these to two separate internet feeds for more advanced testing).
Currently for testing I have disconnected the fxs patches to the phone systems and just have a regular analog phone plugged in. When my phone plugged into Site A goes off hook, I get dial-tone from the extension hooked up to Site B (which is the exact way I want it). When my analog phone is plugged into Site B (port 0 of fxs card in slot 3) and goes off hook, it will ring port 0 of fxs card in slot 3 of Site A. This I don't understand. If I can get both to behave like Site A, I'd be happy.
I need to know if this makes sense to anyone on how I want this to operate? Is it achievable?
Here's my base config on it (Site A first, then Site B):
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Simmering
boot-start-marker
boot-end-marker
enable secret 5 $1$F/AM$ige2qFh9lVD6uNubE.qm80
no aaa new-model
voice-card 2
voice-card 3
ip cef
interface FastEthernet0/0
ip address 192.168.254.30 255.255.255.0
speed auto
no ip http server
no ip http secure-server
control-plane
voice-port 2/0
connection plar opx 290
voice-port 2/1
connection plar opx 291
voice-port 2/2
voice-port 2/3
voice-port 3/0
connection plar 190
voice-port 3/1
connection plar 191
voice-port 3/2
voice-port 3/3
dial-peer voice 280 pots
destination-pattern 280
port 2/0
dial-peer voice 281 pots
destination-pattern 281
port 2/1
dial-peer voice 290 voip
destination-pattern 29
session target ipv4:192.168.254.40
dial-peer voice 180 pots
destination-pattern 180
port 3/0
dial-peer voice 181 pots
destination-pattern 181
port 3/1
dial-peer voice 190 voip
destination-pattern 19
session target ipv4:192.168.254.40
line con 0
logging synchronous
line aux 0
line vty 0 4
password Corazon64789
logging synchronous
login
transport input telnet
end
SITE B:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Sigma
boot-start-marker
boot-end-marker
enable secret 5 $1$1H58$6.VsVieyi4srcC7v4Lndv0
no aaa new-model
voice-card 2
voice-card 3
ip cef
interface FastEthernet0/0
ip address 192.168.254.40 255.255.255.0
speed auto
no ip http server
no ip http secure-server
control-plane
voice-port 2/0
connection plar opx 280
voice-port 2/1
connection plar opx 281
voice-port 2/2
voice-port 2/3
voice-port 3/0
connection plar 180
voice-port 3/1
connection plar 181
voice-port 3/2
voice-port 3/3
dial-peer voice 290 pots
destination-pattern 290
port 3/0
dial-peer voice 291 pots
destination-pattern 291
port 3/1
dial-peer voice 280 voip
destination-pattern 28
session target ipv4:192.168.254.30
dial-peer voice 190 pots
destination-pattern 190
port 2/0
dial-peer voice 191 pots
destination-pattern 191
port 2/1
dial-peer voice 180 voip
destination-pattern 18
session target ipv4:192.168.254.30
line con 0
logging synchronous
line aux 0
line vty 0 4
password Corazon64789
logging synchronous
login
transport input telnet
end -
I have purchased a ringtone in the iTunes Store for my iPad, and I cannot find the download together with my music. I have received the invoice but I have no product. I am working with iOS6, if that helps. Can anybody help me?
I am confused. Do you mean you found the music, not the tones, or you can't find either?
If the former, then this is normal. You can't redownload tones from the Cloud. -
How can I create a client console and work together with the Cache Server?
How can I edit the following Cache-Server.cmd file to create a client console and work together with the Cache Server?
The following is the cache server file: contacts-cache-server.cmd
@echo off
setlocal
if (%COHERENCE_HOME%)==() (
set COHERENCE_HOME=c:\coherence
set CONFIG=C:\home\oracle\coherence\Contacts
set COH_OPTS=%COH_OPTS% -server -cp %COHERENCE_HOME%\lib\coherence.jar;C:\home\oracle\
coherence\Contacts;C:\home\oracle\coherence\Contacts\classes;
set COH_OPTS=%COH_OPTS% -Dtangosol.coherence.cacheconfig=%CONFIG%\contacts-cache-config.xml
java %COH_OPTS% -Xms1g -Xmx1g -Xloggc: com.tangosol.net.DefaultCacheServer %2 %3 %4 %5 %6 %7
:exitEdited by: junez on 23-Oct-2009 09:20Hi
To run the console, change DefaultCacheServer to CacheFactory
Paul
Maybe you are looking for
-
I changed my email address and updated it to my married name. As a result, when I try to download an app, it keeps telling me that I have the wrong password, despite resetting my password. I have not "upgraded" to the new OS for quite a while... When
-
Attachement Id has a bad format
I am using Mac Lion OX and It happen on both, firefox and safari
-
Workflow options are disabled in the sidekick for non-administrators
We have a custom workflow for content approval. The first step in the workflow assigns the task to the workflow initiator. While testing the workflow, the initiation is successful and also the first task is assigned to the initiator. But when the ini
-
Hello Team, We were facing an error where we were not able to save a document in content repository. I took help of my abap friend to run one of the standard functional programs and he suggested that there are no entries maintained in tables TDW0, TD
-
HELP---How can i save pics ???HELP
I have a problem. i drwa e.g. a rectangle in green. how can i save this rectangle? has anyone examples? thanks thomas