NAT a subnet to an other subnet
Hi All,
I Have a cisco asa 5510 configured as a gateway for my network, the problem is that i want to create a new subnet for my network and i have a PVN Tunnel estalished to the Headquarters, the objectif is to create a subnet and nat it to the already configured subnet throw the tunnel, is this possible, timm now i m able to create a subnet and make go to the internet but i have tried a lot to make it go through the tunnel but its not working, have any one faced a such problem before !!
thanks for your help,
Cordially
Hi Jouni,
I have been making a lab for this configuration using GNS3, well i made a VPN Tunnel between Two CISCO ASA 5510 (Pink OK, Tunnel is UP), then i made a new subnet, configured routing and NAT for the new Subnet, Tests Locally are OK, and the i tried to NAT the New Subnet as you mentionned before, but i can't figure out whats wrong with my configuration, it seems that there someting missing, well here's a summary of the LAB
Site 1 : Privare Adresse 10.241.105.0/25 Private New Subnet 172.20.50.0/24
Site B Private Adress 192.168.1.0/24
Tunnel IS UP
What i have done is that i added the new subnet 172.20.50.0/24 to the VPN Tunnel For Both sides, and then i used Packet Tracer to figure out that packets from 172.20.50.0/24 are being translated to the outside Interface, and not going thought the Tunnel, So I Add a NAT Exempt Rule on both sides two Ouups Every Thing is OKK, Good news Right
But thats not what i m looking for !!!
I will be parsing the two network configaration and i m looking for a way to post an image, i can't figure out a way to do that in the forum (feeling like stupid ) i hope tp find it,
here's my mail address [email protected] would you please mail me the right configuration, this is very important for me since its a challenge i have to take in order to join an IT Leading Team in my corporation (Level 3 Support) My dream since 3 years.
Cisco ASA 5510 Site 1
: Saved
: Written by enable_15 at 00:33:55.172 UTC Tue Nov 30 1999
ASA Version 8.0(2)
hostname ASA1
domain-name jihed.com
enable password TyjfM4B9RGk0QSqu encrypted
names
interface Ethernet0/0
description ### Connected to LAN ###
nameif inside
security-level 100
ip address 10.241.105.1 255.255.255.128
interface Ethernet0/1
description ### Connected to Outside LAN VPN Tunnel ###
nameif outside
security-level 0
ip address 41.224.46.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec Welcome Admin Have a Nice Day
banner login Welcome Admin Have a Nice Day
banner motd Welcome Admin Have a Nice Day
boot config disk0:/.private/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name jihed.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 10.241.105.0 255.255.255.128
network-object 172.20.50.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list inside_nat_outbound extended permit ip 10.241.105.0 255.255.255.128 any
access-list 197.22.47.2_splitTunnelAcl standard permit 10.241.105.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 10.241.105.0 255.255.255.128 10.241.105.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.241.105.0 255.255.255.128 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.241.105.0 255.255.255.128 172.20.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.50.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 41.224.46.2_splitTunnelAcl standard permit 10.241.105.0 255.255.255.128
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
no logging message 402128
mtu inside 1500
mtu outside 1500
ip local pool Remote_Access 10.241.105.6-10.241.105.10 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 10.241.105.12 netmask 255.255.255.128
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_nat_outbound
nat (inside) 1 10.241.105.0 255.255.255.128
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 41.224.46.1 1
route inside 172.20.50.0 255.255.255.0 10.241.105.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.241.105.0 255.255.255.128 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 197.22.47.2
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 10.241.105.0 255.255.255.128 inside
telnet timeout 1440
ssh 10.241.105.0 255.255.255.128 inside
ssh 172.10.1.0 255.255.255.0 outside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
group-policy 41.224.46.2 internal
group-policy 41.224.46.2 attributes
wins-server value 8.8.8.8 8.8.8.8
dns-server value 8.8.8.8 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 41.224.46.2_splitTunnelAcl
default-domain value jihedlab.com
group-policy 41.224.46.2_1 internal
group-policy 41.224.46.2_1 attributes
wins-server value 8.8.8.8 8.8.8.8
dns-server value 8.8.8.8 8.8.8.8
vpn-tunnel-protocol IPSec
default-domain value jihed.com
group-policy 197.22.47.2 internal
group-policy 197.22.47.2 attributes
wins-server value 8.8.8.8 8.8.8.8
dns-server value 8.8.8.8 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 197.22.47.2_splitTunnelAcl
default-domain value jihed.com
username jihed password gUiCqYVlWOugRmug encrypted privilege 15
username jneji password Ae.gIIaVTgmxpFgx encrypted privilege 0
username jneji attributes
vpn-group-policy 197.22.47.2
tunnel-group 41.224.46.2 type remote-access
tunnel-group 41.224.46.2 general-attributes
address-pool Remote_Access
default-group-policy 41.224.46.2_1
tunnel-group 41.224.46.2 ipsec-attributes
pre-shared-key jihed
tunnel-group 197.22.47.2 type ipsec-l2l
tunnel-group 197.22.47.2 ipsec-attributes
pre-shared-key jihed
prompt hostname context
Cryptochecksum:27224fc34af0663282057f5cd4f7e932
: end
Cisco ASA 5510 Site 2
: Saved
: Written by enable_15 at 01:53:32.677 UTC Tue Nov 30 1999
ASA Version 8.0(2)
hostname ASA2
domain-name jihed.com
enable password TyjfM4B9RGk0QSqu encrypted
names
interface Ethernet0/0
description ### Connected to LAN ###
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/1
description ### Connected to Outisde Interface VPN Tunnel ###
nameif outside
security-level 0
ip address 197.22.47.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec Welcome Admin Have a Nice Day
banner login Welcome Admin Have a Nice Day
banner motd Welcome Admin Have a Nice Day
boot config disk0:/.private/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name jihed.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 10.241.105.0 255.255.255.128
network-object 172.20.50.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list inside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.20.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.241.105.0 255.255.255.128
pager lines 24
logging enable
logging asdm informational
no logging message 402128
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_nat_outbound
nat (inside) 1 192.168.1.0 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 197.22.47.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 41.224.46.2
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 1440
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
username jihed password gUiCqYVlWOugRmug encrypted privilege 15
tunnel-group 41.224.46.2 type ipsec-l2l
tunnel-group 41.224.46.2 ipsec-attributes
pre-shared-key jihed
prompt hostname context
Cryptochecksum:4db675e1167a33bf5d9dfae0c74da193
: end
Thanks a lot
Similar Messages
-
ASA 5510 - Setting up ACL to permit access only to the Nat'ed subnet
Hi,
I experiencing an issue in setting up an ACL on my ASA 5510 to permit access only to the Nat subnet from inside to the outside interface. This firewall is setup for the DR solution in the production network. I am applying following acl in the inbound direction on the inside interface.
permit ip any "Nat_subnet"
After appliying this acl to inside interface I observed that I can ping to the destinations in NAT'ed subnet but unable to ssh to the servers. Following is the summary of my configuration. I would appreciate if someone please advice to resolve this issue.
Regards,
Muds
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.135.241 255.255.255.248 standby 192.168.135.242
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.135.249 255.255.255.248 standby 192.168.135.250
object-group network d1-dr-nat_nets
network-object 192.168.128.0 255.255.248.0
object network 10.210.14.0_Net
nat (outside,inside) static 192.168.128.0_Net
object network 10.210.16.0_Net
nat (outside,inside) static 192.168.129.0_Net
object network 10.210.80.0_Net
nat (outside,inside) static 192.168.130.0_Net
object network 10.210.84.0_Net
nat (outside,inside) static 192.168.131.0_Net
object network 10.210.86.0_Net
nat (outside,inside) static 192.168.132.0_Net
object network 10.210.88.0_Net
nat (outside,inside) static 192.168.133.0_Net !
object network 10.210.14.0_Net
nat (outside,inside) static 192.168.128.0_Net
object network 10.210.16.0_Net
nat (outside,inside) static 192.168.129.0_Net
object network 10.210.80.0_Net
nat (outside,inside) static 192.168.130.0_Net
object network 10.210.84.0_Net
nat (outside,inside) static 192.168.131.0_Net
object network 10.210.86.0_Net
nat (outside,inside) static 192.168.132.0_Net
object network 10.210.88.0_Net
nat (outside,inside) static 192.168.133.0_Net
access-list prod_lan-in extended permit ip any object-group d1-dr-nat_nets
access-group prod_lan-in in interface insideHi,
As I mentioned even though you NAT the address from outside to inside you will have to use the REAL IP ADDRESSES in the access-list statements
Your hosts on inside will still be connecting to the NAT IP address of the hosts on outside BUT the ASA needs the ACL statements with the NATed hosts original IP addresses
Let me give an simple example
object network STATIC
host 10.10.10.10
nat (outside,inside) static 192.168.10.10
access-list INSIDE-IN permit ip any host 10.10.10.10
or
access-list INSIDE-IN permit ip any object STATIC
- Jouni -
ASA 5505: Site-to-Site VPN, NAT (Overlap Subnets)
Greetings all. I've searched through the forums and have found some similar situations to mine but nothing specific. I'm hoping this is an easy fix... :/
I volunteer for a non-profit medical facility that has an ASA 5505 (v8.4). They needed a site-to-site VPN to another facility (a Fortinet w/ 10.10.115.0/24) to securly transfer digital X-Ray images. Very simple setup... the issue is, my 5505 (192.168.1.x) overlaps with another site-to-site VPN connection on the Fortinet side already. So...
The network admin on the Fortinet side assinged me 172.31.1.0/24. I have established a connection but obviously, cannot route anywhere to the other side. Anyone have any suggestions here, how I might be able to accomplish this - hopefully with a simple NAT setup?
Thank you in advance everyone.Hello Chris,
For this scenario you will need to create a Policy-NAT rule and then configure the Interesting Traffic with the translated IP address.
Basically the NAT configuration will be like this:
object network Local-net
subnet 192.168.1.0 255.255.255.0
object network Translated-net
subnet 172.31.1.0 255.255.255.0
object network Fortinet-net
subnet 10.10.115.0 255.255.255.0
nat (inside,outside) source static Local-net Translated-net destination static Fortinet-net Fortinet-net
Obviously, you can change the name of the objects.
Then in the interesting traffic, the ACL that is apply in the crypto map that defines the VPN traffi, you will need to configure it like this:
access-list anyname permit ip 172.31.1.0 255.255.255.0 10.10.115.0 255.255.255.0
This should allow you to pass traffic over this tunnel and it will hide your network behind the network that the Fortinet assigned you.
Let me know if you have any doubts.
Daniel Moreno
Please rate any posts you find useful -
Hi, we have had Verizon DSL for several years and were recently given a new GT784WNV modem/router. I would like to replace my old Linksys router with this device, but the big problem at the moment is that the GT784WNV will not perform NAT translation for a secondary subnet.
I have a basic network for the household PCs and devices, with the GT784WNV providing Internet gateway services. This stuff all works pretty much as desired. I also have a second subnet for work-related computers, which is on a second switch behind another router. I added the necessary routing information to the GT784WNV so that it knows about the second subnet, and am able to successfully ping the devices on that subnet from the GT784WNV diagnostics, and vice versa. However, the devices on that subnet cannot connect to the Internet--they cannot ping anything past the GT784WNV, they cannot access web pages, or do anything else. From what I can tell, the NAT module in the GT784WNV is not creating mappings for the devices on the second subnet.
I have done some preliminary research and it appears that other people were able to resolve this by adding explicit firewall rules, however I dont see any way to enter these rules in the router's configuration. Does anybody have any advice for me? Can these rules be added with the CLI via the TELNET interface?
Thanks for any assistance.Let me give a more detailed picture and see if I can answer your questions along the way.
Al the PCs on the home network are plugged into a D-Link gibabit ethernet switch. The Linksys router has a single connection to the switched ethernet segment, and the wireless AP is bridged to the LAN segment (so that wireless devices are on the lan side). Meanwhile, the linksys also provides internet routing/firewall functions by talking to the (old) westel modem over PPPoE on a separate WAN link. The linksys is running DD-WRT firmware for all this.
My office gear is on a separate HP switch. I have an additional Juniper router/firewall that plugs into the HP router on one port, and plugs into the home D-Link switch on another port. The home and office networks are on completely different IP ranges (work network uses work subnet allocation). The juniper between the two networks has an IP address for each network that it is connected to. The devices on the office network have a default route for the juniper, and it has a default route for the linksys. The linksys has a subnet route for my office network that points to the juniper, and a default route for the PPP connection.
With this setup, I can do everything perfectly fine. I can access files and printers on each network from any PC, can access the Internet through the remote router, and so forth. I can even host a COD game on my work computer and the Linksys will handle the NAT mapping and forwarding perfectly.
Alright. Now we got this new GT784WNV device, which was sent to us in an effort to correct a problem with the DSL service (unrelated, that was resolved with infrastructure changes, by moving us to another port on the card at the neighborhood switch). Having the modem in the same box simplifies some things, so even though I dont need it I would like to see if I can make it work.
So I unplugged the linksys and westell, plugged the GT784WNV into the D-Link, gave it the IP address from the old Linksys, and added a route statement for my office network pointing to the juniper. Basically I just replaced the linksys and modem with the verizon box. I am able to ping the GT784WNV from my office PCs, and I can open a TELNET session to the device from that network as well. However I am not able to communicate with any Internet resources; I cannot ping anything or talk to any remote web servers or anything at all.
My observation is that the GT784WNV is not forwarding packets from my office network. My assumption is that this is because it thinks the source IP addresses are not "local" and so the firewall rules in the device are preventing them from being serviced by the NAT module. I am basing this assumption on a couple of things, one is that some other people with other models have run into similar problems and have corrected it by unblocking the NAT module in the firewall rules (no such option in the GT784WNV), also I noticed that the routing table in the GT784WNV does not have options for "local" or "remote" so there is no way to explicitly flag that the office subnet is actually "local" (the routing works because the interface matches the LAN link, not because it knows the destination is "local").
What I am looking for is a way to get at the firewall rules from the TELNET CLI and see if I can study and/or override the NAT restriction. Or, if there are some other alternatives that might solve the issue, that would be good too.
Frankly, after examining some of the other features on this device, I do not believe it is going to be useful anyway. I do some other things with the DD-WRT firmware that I cannot replicate on this router, and so I suspect at this point that it is not going to be a viable replacement anyway. However I am still interested in trying to get over this hurdle, and will take it from there. Otherwise its going in the trash. -
Natting of subnet ip address exist over wan
I have branch office having subnet 172.26.48.0/22 one ip from this subnet say 172.26.48.100 assigned toa server . now our erequirement to access this
server from outside mean from internet . tis branch office is coonected throuth leased line to main office. now main office has firewall and loacl subnet
in which server are there and natted to access over internet . we try to make it possible we got ping response of outised also but latency get stuck that
firewall looking to be in hang mode latency around 900 ms if natting is done otherwise 250-300 ms. what can we do , any alternat approach suggested.
dig. attachement is there
Regards,
RajatNO i mean we get normal response 250-300 ms HQ to outside link ping responsc of 4.2.2.2 . no branch included . if we nat branch ip mentioned above sudenly latency get high while pinging 4.2.2.2 so firewall does not behave normally in this case.
howwver if we remove natting command from firewall still we get latemcy after rebooting only it comes normal
second it is possible or practical to nat ip of branch office in headquarter firewall. it is suggested by cisco ?
please help
Regards,
Rajat -
How to nat subnets before establishing site to site ipsec vpn tunnel?
Hello,
Coming across requirement which is new to me as I have not done this setup. Details as follows. Hope some1 can help.
Requirement: nat existing subnets to 192.168.50.0/24 subnet which is allowed at another firewall.
Existing device: Cisco 5510 where I need to do this NAT.
Existing scenario in short: I have created vlans on asa by creating sub interfaces.
Changes done: added new sub int for 192.168.50.0. Added new object as 192.168.50.0 . Now done with creation of acl where traffic from 192.168.50.0 to remote subnets allowed. In NAT object sections done nating 1 to 1 I.e. existing subnet to 192.168.50.0
Done ipsec vpn setup inc phase 1 & 2.
Now tried to ping remote hosts but not reachable.
Pls advice how to make it work.
I dont any router next to asa 5510. Asa is in routed mode. Next hop to asa is isp's mux.Hello. Pls find my answers inline
I first got the picture that the NAT network is 192.168.50.0/24 and some other networks should be NATed to this.
Answer: Thats correct.
Later on it seems that you have configured this to some interface on the ASA?
Answer: Yes as I have defined vlan's on ASA itself. i.e. other subnets too i.e. 10.x series & 192.168.222.x series. I used Ethernet 0/0 as main interface for all LAN networks and have created sub interfaces i.e. vlan's on it. Using 3COM switch down to ASA to terminate those vlan's & distribute to unmanaged switches. Due to port limitations on ASA I have configured vlans on ASA itself. Ethernet 0/2 is my WAN interfacei.e. ISP link terminates on Eth 0/2 port.
So are you attempting to NAT some other LAN networks to this single NAT network before the traffic heads to the L2L VPN connection on your ASA?
Answer: Yes thats right. Attempting to NAT multiple networks to single NAT before traffic head to L2L VPN connecting from my ASA 5510 to remote Citrix firewall.
Can you then mention what are the source networks and source interfaces for these networks? What is the destination network at the remote end of the L2L VPN connection?
Answer: Source networks = 10.100.x series & 192.168.222.x series / Destination networks are from 192.168.228.x , 192.168.229.x series. Remote admin wants us to NAT our multiple subnets to single subnet i.e. 192.168.50.0 and then traffic from this subnet is allowed at remote end.
Do you want to just do a NAT Pool of the 192.168.50.0/24 network for all your Internet users OR does the remote end also have to be able to connect to some of your sites hosts/servers?
Answer: Yes just want to NAT LAN subnets to 192.168.50.0/24 for all LAN users. 1 way access. I am going to access remote servers.
The new thing for me is how to NAT multiple subnets. I have existing ipsec vpn's where I have added multiple subnets which is traditional set up for me. This requirement is new to me. -
Two Cisco ASA 5505, IPSec Multiple Subnets, Problem with Phase2, DSL
Hi all.
we have following IPSec configuration:
ASA Site 1:
Cisco Adaptive Security Appliance Software Version 9.1(1)
crypto ipsec ikev1 transform-set TSAES esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TSMD5 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal PropAES256
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.28.60.0 255.255.254.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.99.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.99.0 255.255.255.0
crypto map CMVPN 5 match address SITE_2
crypto map CMVPN 5 set peer IP_SITE2
crypto map CMVPN 5 set ikev2 ipsec-proposal PropAES256
crypto map CMVPN interface OUTSIDE
route OUTSIDE 172.27.97.0 255.255.255.0 citic-internet-gw 255
route OUTSIDE 172.27.99.0 255.255.255.0 citic-internet-gw 255
tunnel-group IP_SITE2 type ipsec-l2l
tunnel-group IP_SITE2 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
ASA Site 2:
Cisco Adaptive Security Appliance Software Version 9.1(4)
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.28.60.0 255.255.254.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.22.0.0 255.255.0.0
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 set peer IP_SITE1
crypto map CMVPN 10 set ikev2 ipsec-proposal IKEV2AES
crypto map CMVPN 10 set reverse-route
crypto map CMVPN interface OUTSIDE
tunnel-group IP_SITE1 type ipsec-l2l
tunnel-group IP_SITE1 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
We are not able to reach from 172.22.20.x ips 172.27.99.x.
It seems so that the phase2 for this subnet is missing…...... as long as we try to reach from 172.27.99.x any ip in 172.22.20.x.
We are using similar configuration on many sites and it works correctly expect sites with DSL line.
We can exclude problem with NAT,ACL or routing. The connection is working fine as long as “we open all phase 2 manually” . After re-open (idle timeout) the tunnel the problem comes back.
Thanks in advance for your help.
Regards.
Jan
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (3)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (3)SHA1
Bytes Tx : 423634 Bytes Rx : 450526
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 1h:50m:45s
IKEv2 Tunnels: 1
IPsec Tunnels: 3
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 79756 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22156 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607648 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 312546 Bytes Rx : 361444
Pkts Tx : 3745 Pkts Rx : 3785
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22165 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607952 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 50014 Bytes Rx : 44621
Pkts Tx : 496 Pkts Rx : 503
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22324 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607941 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 61074 Bytes Rx : 44461
Pkts Tx : 402 Pkts Rx : 437
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 6648 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
.... after ping from 172.27.99.x any ip in 172.22.20.x.
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (4)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (4)SHA1
Bytes Tx : 784455 Bytes Rx : 1808965
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 2h:10m:48s
IKEv2 Tunnels: 1
IPsec Tunnels: 4
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 78553 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20953 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4606335 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 652492 Bytes Rx : 1705136
Pkts Tx : 7419 Pkts Rx : 7611
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20962 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607942 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 60128 Bytes Rx : 52359
Pkts Tx : 587 Pkts Rx : 594
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 21121 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607931 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 70949 Bytes Rx : 50684
Pkts Tx : 475 Pkts Rx : 514
IPsec:
Tunnel ID : 3058.5
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28767 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 961 Bytes Rx : 871
Pkts Tx : 17 Pkts Rx : 14
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 7852 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji. -
Cisco ASA 5505 IPSEC, one endpoint behind NAT device
We have two Cisco ASA 5505 devices.
Both are identical, however, one of them is behind a NAT device.
We are attempting to create an IPSEC network.
Site fg:
<ipsec subnet1> -- ASA 5505 (ASA1) -- <internet>
ASA1: 10.1.1.2/24 (inside), 212.xxx.xxx.xxx/28 (outside)
Site be:
<ipsec_subnet2> -- ASA 5505 (ASA3) -- Zywall USG (USG1) -- <internet>
ASA3: 10.1.4.1/24 (inside), 192.168.4.50/24 (outside)
USG1: 192.168.4.100/24 (inside), 195.xxx.xxx.xxx/30 (outside)
USG1: UDP port 500/4500 forwarded to 192.168.4.50
It seems that ASA1 stops the procedure (we verified this with debug crypto isakmp 254):
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, QM FSM error (P2 struct &0xd1111cd8, mess id 0x81111a78)!
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.4.50/255.255.255.255/0/0 local proxy 212.xxx.xxx.xxx/255.255.255.255/0/0 on interface outside
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, PHASE 1 COMPLETED
We verified / attempted the following:
- NAT excemption on both sides for IPSEC subnets
- Mirror image crypto maps
- Disabled IKE peer ID validation (yes, pre-shared key but we ran out of ideas)
- Toggled between static to dynamic crypto maps on ASA1
Most search results turned up results referring to the incorrect settings of the crypto map or the lack of NAT excemption.
Does anyone have any idea?
195.txt contains show running-config of ASA3
212.txt contains show running-config of ASA1
log.txt contains somewhat entire log snipper of ASA1Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji. -
Problems getting static NAT to work between two internal lans
Hi, I'm trying the old problem of routing between two internal LANs. This on cli 8.6(1)2. I have three interfaces/LANs; outside is to the internet, inside is the rack in the datacentre and office is a dedicated ethernet link to our office. What I want to do is allow all (for now) traffic betrween office and inside. There's a million hits on this on the 'net but I can't get it to work. Packet trace shows packets accepted from office to inside but blocked from inside to office. Both static nats are set up identically. Here's the output of show nat after packet traces in both directions. It clearly shows that inside to office isn't hitting the nat policy. I enclose what I think are the relevant bits of my config. Full config less passwords + crypto attached.
Manual NAT Policies (Section 1)
1 (office) to (inside) source static inside-office inside-office destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 3
2 (inside) to (office) source static inside-ld5 inside-ld5 destination static inside-office inside-office no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
interface GigabitEthernet0/0
nameif inside-ld5
security-level 100
ip address 10.20.15.2 255.255.255.0
interface GigabitEthernet0/6
nameif office
security-level 100
ip address 10.20.11.9 255.255.255.0
object network inside-ld5
subnet 10.20.15.0 255.255.255.0
object network inside-office
subnet 10.20.11.0 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
nat (office,inside) source static inside-office inside-office destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
nat (inside,office) source static inside-ld5 inside-ld5 destination static inside-office inside-office no-proxy-arp route-lookupHi Kevin,
because your interfaces inside and office are in same security level and you have enabled same-security-traffic permit inter-interface, traffic should simply flow between this interfaces. So i think you don't need NAT between this two subnets if there is not other reason to do so.
Then you just configure ACL which will permit traffic you want between this LANs. In this case both netwroks are directly conneted so routing should work(instead of NAT).
Best Regards,
Jan -
Static NAT - VPN - Internet Access
Does anyone know how to configure the following?
1. An static NAT from an inside ip address to another inside ip address (not physical subnet).
2. The traffic static Natted at the step 1 need to go into a tunnel VPN and at the same time to have internet access.
My router just have two interfaces a WAN and a LAN.
I just created the VPN, the static NAT and the PAT for other users of the subnet to have internet access, but the traffic static Natted just goes over the ipsec tunnel but cannot have internet access.
I tried to apply a route map after the static nat command but since i do not have a physical interface in the same subnet were i am translating the route-map is not applied to the static nat command.
in an extract:
LAN traffic (specific server) --->> static nat to inside not real subnet --->> traffic goes over Tunnel (OK), but no internet access.
BTW. I need to configure the nat before de ipsec tunnel because both lan subnets of the ipsec tunnel endpoint are the same.Why do you need an inside host to be natted to another inside IP address?
You need to configure a "no nat" policy, for the internet traffic. -
Anyconnect VPN peers cannot ping, RDP each other
I have an ASA5505 running ASA 8.3(1) and ASDM 7.1(1). I have a remote access VPN set up and the remote access users are able to log in and access LAN resources. I can ping the VPN peers from the remote LAN. My problem that the VPN peers cannot ping (RDP, ectc..) each other. Pinging one VPN peer from another reveals the following error in the ASA Log.
Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.10.10.8 dst outside:10.10.10.9 (type 8, code 0) denied due to NAT reverse path failure.
Below is my ASA running-config:
ASA Version 8.3(1)
hostname ciscoasa
domain-name dental.local
enable password 9ddwXcOYB3k84G8Q encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.1.128
domain-name dental.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network RAVPN
subnet 10.10.10.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
access-list Local_LAN_Access remark VPN client local LAN access
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list VpnPeers remark allow vpn peers to ping each other
access-list VpnPeers extended permit ip object NETWORK_OBJ_10.10.10.0_28 object NETWORK_OBJ_10.10.10.0_28
pager lines 24
logging enable
logging asdm informational
logging mail informational
logging from-address [email protected]
logging recipient-address [email protected] level informational
logging rate-limit 1 600 level 6
mtu outside 1500
mtu inside 1500
ip local pool VPNPool 10.10.10.5-10.10.10.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static any any destination static RAVPN RAVPN
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
object network obj_any
nat (inside,outside) dynamic interface
object network RAVPN
nat (any,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair billvpnkey
proxy-ldc-issuer
crl configure
crypto ca server
cdp-url http://ciscoasa/+CSCOCA+/asa_ca.crl
issuer-name CN=ciscoasa
smtp from-address admin@ciscoasa
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
**hidden**
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 10bdec50
**hidden**
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 192.168.1.50-192.168.1.99 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
svc profiles DellStudioClientProfile disk0:/dellstudioclientprofile.xml
svc enable
tunnel-group-list enable
internal-password enable
smart-tunnel list SmartTunnelList RDP mstsc.exe platform windows
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.1.128
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value dental.local
webvpn
svc modules value vpngina
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value 192.168.1.128
vpn-tunnel-protocol l2tp-ipsec
default-domain value dental.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.1.128
vpn-simultaneous-logins 4
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-lock value RAVPN
split-tunnel-network-list value Local_LAN_Access
default-domain value dental.local
webvpn
url-list value DentalMarks
svc modules value vpngina
svc profiles value dellstudio type user
svc ask enable default webvpn
smart-tunnel enable SmartTunnelList
username wketchel1 password 5c5OoeNtCiX6lGih encrypted
username wketchel1 attributes
vpn-group-policy DfltGrpPolicy
webvpn
svc profiles value DellStudioClientProfile type user
username wketchel password 5c5OoeNtCiX6lGih encrypted privilege 15
username wketchel attributes
vpn-group-policy DfltGrpPolicy
webvpn
svc modules none
svc profiles value DellStudioClientProfile type user
username jenniferk password 5.TcqIFN/4yw0Vq1 encrypted privilege 0
username jenniferk attributes
vpn-group-policy DfltGrpPolicy
webvpn
svc profiles value DellStudioClientProfile type user
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPool
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
tunnel-group RAVPN type remote-access
tunnel-group RAVPN general-attributes
address-pool VPNPool
authorization-server-group LOCAL
tunnel-group RAVPN webvpn-attributes
group-alias RAVPN enable
tunnel-group RAVPN ipsec-attributes
pre-shared-key *****
tunnel-group RAVPN ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
tunnel-group WebSSLVPN type remote-access
tunnel-group WebSSLVPN webvpn-attributes
group-alias WebSSLVPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
smtp-server 173.194.64.108
prompt hostname context
hpm topN enable
Cryptochecksum:3304bf6dcf6af5804a21e9024da3a6f8
: endHi,
Seems to me that you could clean up the current NAT configuration a bit and make it a bit clearer.
I would suggest the following changes
object network VPN-POOL
subnet 10.10.10.0 255.255.255.0
object network LAN
subnet 192.168.1.0 255.255.255.0
object-group network PAT-SOURCE
network-object 192.168.1.0 255.255.255.0
network-object 10.10.10.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
nat (any,outside) after-auto source dynamic PAT-SOURCE interface
The above should enable
Dynamic PAT for LAN and VPN users
NAT0 for the traffic between LAN and VPN
NAT0 for traffic between VPN users
You could then remove the previous NAT configurations. Naturally please do backup the configuration before doing the change if you wish to move back to the original configuration.
no nat (inside,any) source static any any destination static RAVPN RAVPN
no nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
no nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
no object network obj_any
no object network RAVPN
In the event that you dont want to change the configurations that much you might be fine just by adding this
object network VPN-POOL
subnet 10.10.10.0 255.255.255.0
nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
But the other above configurations changes would make the current NAT configurations simpler and clearer to see each "nat" configurations purpose.
- Jouni -
How to enable NAT on Time Capsule
Ultimate Objective: Enable the "Back to my Mac" feature. In order to do so, NAT has to be enabled on my Time Capsule whose current "Connection Sharing" is set to "Bridge Mode".
Here's the initial configuration
TC>Internet> Internet Connection
-Connect using: Ethernet
-Connection Sharing: Off (Bridge Mode)
TC>Internet>TCP/IP tab
-Configure IPv4: Using DHCP
-IP address: 192.16.1.33
-Subnet Mask: 255.255.255.0
-Router Address: 192.168.1.1
-DNS Server: 192.16.1.1
The TC is ethernet connected to a Zyxel modem/router.
Try #1
When changing "Connection Sharing" from
"Bridge Mode"
to
"Share a public address",
I receive a message indicating 2 problems:
"DHCP Beginning Address.192.168.1.2
DHCP Ending Address. 192.168.1.200
"The DHCP range you have entered conflicts with the WAN IP address of your Airport Wireless device."
Try #2
I update the DHCP Beginning Address to 192.168.1.34 and click on "Update".
I get the same error message:"The DHCP range you have entered conflicts with the WAN IP address of your Airport Wireless device."
Try #3
Correct me if I'm wrong, but in "Bridge Mode", the TC simply acts as a "slave" and gets all its DNS and DHCP information straight from the router. So I'm thinking I should change the configuration on the "Zyxel 1 port modem/router". The model/router DHCP setup is currently set to "Server". Other available DHCP options are:
-None
-Relay
When setting it to "Relay", I get an error message". I therefore set it to "None"
Back to the TC, I change "Connection Sharing" from
"Bridge Mode"
to
"Share a public address" once again, and receive the same error message as before: "The DHCP range you have entered conflicts with the WAN IP address of your Airport Wireless device."
As you will noticed, I don't know what I'm doing here. If some of you can point me to a tutorial so I better understand what's going on, it's be great.
For those of you who managed to read this message up to this point, well thanks a lot for your patience. If you can point me in the right direction, it'll be even better.Welcome to the discussions!
From your description, the Zyxel device is a "gateway". That is, it is combination modem and router in one enclosure, probably wired as one single device, not a separate modem and router.
If you add the Time Capsule to the mix, you now have two routers in series. Can't do that....you only want one device to provide DHCP and NAT services, not two.
Any other router(s) after the main router must be setup as "bridges" to allow the main router to control DHCP and NAT services. So, the correct setting for the Time Capsule in your network is "bridge mode".
I understand the "catch" here, and that is that the Time Capsule does not provide NAT service when it is setup in "bridge mode" because DHCP and NAT are turned off.
If you want to use Back to My Mac, you need to make the Time Capsule the "main router" handling DHCP and NAT. I do not know if you could configure the Xyzel device to function as a simple modem, but that's what you need. It sounds like you have tried the available options and based on that info, I would conclude that it cannot function as a simple modem only. If that's the case, then your only other option is to replace the Xyzel gateway with a simple modem.
Only then can the Time Capsule be configured to "Share a public IP address", which enables DHCP and NAT on the device. -
It seems that the upgrade has destroyed the entire firefox experience. What is also strange is that the desktop image is coming through the top of the Firefox page.
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Jon already touched on this, but to use your "new" network, without NAT, the subnet needs to be "known".
With NAT, you can place multiple hosts behind one (or several) IPs on your existing subnet. I.e. you new subnet doesn't need to be known. (In fact, you could use any subnet you want.)
The reason the Linksys worked well yet the 2600 did not, "Enterprise" class routers generally don't handle PAT as well many consumer class routers. (NB: True NAT would probably work just fine, but what you need is to overload an IP, i.e. PAT). So, many applications won't work. (NB: I believe newer IOS versions do better, though.)
Many small Cisco Enterprise class routers, especially those from two generatations ago, were designed for "slow" WAN links, like single T1s or partial T1s, or perhaps for a few Mbps DSL. If your link has more bandwidth the router may not have the performance to support it effectively. -
Hello,
I am trying to convert the pre-8.3 config to 9.2 and configuration on our old firewall makes no sense to me. Would someone explain what is going on here?
Basically the configuration is pretty basic. 1 outside interface and 2 DMZ interfaces. olddmz and newdmz
interface GigabitEthernet0/0
description outside
speed 1000
duplex full
nameif outside
security-level 0
ip address x.x.6.243 255.255.255.248 standby x.x.6.244
interface GigabitEthernet0/2
description legacy prod
speed 1000
duplex full
nameif olddmz
security-level 50
ip address x.x.9.65 255.255.255.240 standby x.x.9.66
interface GigabitEthernet1/1
description new prod
speed 1000
duplex full
nameif newdmz
security-level 50
ip address x.x.33.163 255.255.255.224 standby x.x.33.164
global (outside) 1 x.x.6.245 netmask 255.255.255.248
static (olddmz,outside) x.x.9.64 x.x.9.64 netmask 255.255.255.240
access-group OUTSIDE in interface outside
access-group OLDDMZ in interface olddmz
route outside 0.0.0.0 0.0.0.0 x.x.6.241 1
There is no other NAT related entries anywhere and devices on the DMZ interfaces are routed transparently with their DMZ subnet IP addresses to the outside. I also do not see a single mention of newdmz being routed or NATed in any way..... How does that work?
How do i achieve this with a post-8.3 configuration? Either I am missing something fundamental, but I dot not see a way to NAT entire subnet to the outside.
nat (olddmz,outside) static X.X.X.X
does not allow me to add the entire subnet. Do i need to manually specify each NAT object???
Thank youFirst off, do you only have public IPs on your olddmz and newdmz networks? If so you do not need NAT on your firewall. Previously in versions earlier than 8.2 you were required to use NAT to allow traffic throught ASA/PIX, that was removed completely in version 8.4. So unless you have a private IP address space that should be NATed for internet access, NAT is not needed.
But to answer your question
How do i achieve this with a post-8.3 configuration? Either I am missing something fundamental, but I dot not see a way to NAT entire subnet to the outside.
nat (olddmz,outside) static X.X.X.X
This configuration would translate to the following:
object network IP1
subnet x.x.9.64 255.255.255.240
object network IP2
subnet x.x.9.64 255.255.255.240
nat (olddmz,outside) static IP1
Please remember to select a correct answer and rate helpful posts -
I have a dilemma. We have a LAN 2 LAN with a remote site and I need somehow NAT their subnet with and address pool on my side so I can route this traffic elsewhere where there is a conflicting network. I have an ASA 5510 on this side and they are running a PIX something or another.
I can see where to create a pool but how can I tell the ASA to assign that pool to the addresses in that LAN 2 LAN?L2L VPNs do not use 'pools'. You have to define the interesting traffic using Crypto Access-Lists. In case of NAT, you can put the translated IPs in the access-list as per the below example:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
And this is an example on IOS:
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml
Regards
Farrukh
Maybe you are looking for
-
How to use the scan function on a 4215i all in one printer
How do I use the scan function on this printer with windows 8. I did the installation but the scan function does not seem to wwork This question was solved. View Solution.
-
AIR app will not run on Win XP
I craeted an AIR app for my company's sales team. I've passed it around and it works fine on most machines (mostly Dell laptops running Windows XP). I have one salesman who was able to run earlier versions of the app, but now opening the app does not
-
Camera Raw Title Bar stuck behind taskbar
Hi Adobe Experts! I have recently started using Windows 7 on one of my machines and it is causing a few headaches with CS4 and CS5. When I open Camera Raw in Win7 it seems to have a fixed window height. That is, the top of the C-Raw window is at the
-
Fetch ESS services for HR Administrator
Hi, Our client has a requirement to fetch the ESS services for the HR administrator so that in case the employee is unable to update details through ESS, the HR administrator can do it on the employee's behalf. The HR administrator should have the op
-
How do I stop iTunes constantly asking for ID
how do I stop iTunes constantly asking for ID