NAT between two interfaces
Good day,
I would ask if it is possible to do NAT between two Interfaces on the same device?
The problem is that I need access from my inside lan to the management interface on the ASA. We will not manage the ASA over the inside interface.
This is my current NAT statement:
nat (inside,mgmt) source static 172.20.200.0-24 192.168.3.222 destination static 192.168.3.0-24 192.168.3.0-24 unidirectional
This is my PacketTracer output:
Phase: 1Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in 192.168.3.0 255.255.255.0 mgmt
Phase: 2Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group inside in interface insideaccess-list inside extended permit ip 172.20.200.0 255.255.255.0 anyAdditional Information:Phase: 3Type: IP-OPTIONSSubtype:Result: ALLOWConfig:Additional Information:Phase: 4Type: NATSubtype:Result: ALLOWConfig:nat (inside,mgmt) source static 172.20.200.0-24 192.168.3.222 destination static 192.168.3.0-24 192.168.3.0-24 unidirectionalAdditional Information:Static translate 172.20.200.1/0 to 192.168.3.222/0Phase: 5Type: USER-STATISTICSSubtype: user-statisticsResult: ALLOWConfig:Additional Information:Phase: 6Type: FLOW-CREATIONSubtype:Result: ALLOWConfig:Additional Information:New flow created with id 244039047, packet dispatched to next moduleResult:input-interface: insideinput-status: upinput-line-status: upoutput-interface: mgmtoutput-status: upoutput-line-status: upAction: allow
So NAT seems to be working correct. I can reach other devices behind the mgmt network this is no problem. But I cant access the ASA on the mgmt interface 192.168.3.2.
Clould it be a problem with the traffic flow? Because in the PacketTracer output I see on Phase1 a Route-Lookup and later on Phase4 the NAT statement.
Is there a way to get this working?
Many thanks for your feedback.
Brgds,
Markus
Hi,
To my understanding its not possible to connect to an ASA interface through interface other than the interface where the IP address is located.
In other words you are not able to connect from behind "inside" to the IP address of "mgmt" interface
I will try to find you a link to some Cisco documentation stating this. (I have never really had to find it though)
- Jouni
Similar Messages
-
ASA5510 - Verifying NAT is fully disabled between two interfaces
Hello,
I am trying to configure two inside interfaces without NAT. I am not using nat-control and I have added exemptions for the two networks. I can communicate between the two networks and to the Internet just fine.
I would like to verify that NAT is disabled between the two interfaces. I also need to make sure that the Interface IP (specifically for the traffic from inside-test to the inside network) is not added to packets between the two networks. I would like to be able to verify this as well. In other words I need to have the Source IP address from the originating connection on the inside-test network passed along through to the Inside network device without being replaced by the Interface's IP address. This is a test config for a production environment that will be using a load balancer. The config I have may be working in this regard and the load balancer may be replacing this IP address (that is what I am trying to test), but I am not certain.
So far I have the following NAT related running-config command (in regards to these two interfaces):
access-list NAT_Exempt extended permit ip 192.168.12.0 255.255.255.0 interface inside
access-list NAT_Exempt extended permit ip 192.168.3.0 255.255.255.0 interface Inside-test
access-list NAT_Exempt extended permit ip 192.168.12.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list NAT_Exempt_2 extended permit ip 192.168.12.0 255.255.255.0 interface inside
access-list NAT_Exempt_2 extended permit ip 192.168.3.0 255.255.255.0 interface Inside-test
access-list NAT_Exempt_2 extended permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
nat (inside) 0 access-list NAT_Exempt_2
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Inside-test) 0 access-list NAT_Exempt
nat (Inside-test) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
global (Inside-test) 1 interface
Let me know if more information is needed for you to assist me futher.
Thank you.Thank you Jennifer for your responses.
Do I need to include access-list commands for both directions for each interface as listed in my full config above, or do I just need one for one direction on one and one direction on the other interface (plus the exempt for the 69.x.x.x network)?
Would this config suffice?
access-list NAT_Exempt_2 permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list NAT_Exempt_2 permit ip 192.168.3.0 255.255.255.0 69.87.157.192 255.255.255.224
access-list NAT_Exempt permit ip 192.168.12.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list NAT_Exempt permit ip 192.168.12.0 255.255.255.0 69.87.157.192 255.255.255.224
nat (inside) 0 access-list NAT_Exempt_2
nat (inside-test) 0 access-list NAT_Exempt
Will I need to clear xlate to see the results of this or will this take affect immediately? I can't really do that during business hours, but should be able to after hours if I need to.
Can you clarify what the global commands do? I keep thinking that it adds the IP of the Interface to packets as they go through the interface and that I should use a different config for the Inside-test network.
I will try the xlate detail to verify and let you know what I find.
Thank you. -
Load balancing between two interfaces on 2811
Hi,
We have a 2811 router with VPN and NAT configured. We have two internet connection from different ISPs. The speed of our original connection is 2MB up and down. The speed of our new connection is 1MB up and down. We want to configure load balancing between the two connections. Our new ISP has provided us with a CISCO 837 router. We want to connect that router into our 2811 on one of the free WIC card and then configure load balancing between the two interfaces on our 2811. The third interface has a local address configured. Please suggest where to start. I tried searching on net for any configuration example but I was unable to find any particular example with commands. I am new on CISCO platform. Any help will be hugely appreciated. Thanks in advance.Raju,
you have two choices as far as I can see. If you want to use static routing over the WAN to your branch, you could duplicate your static routes to the branch and point them to the secondary router. You will have two identical sets of static routes in the primary router, one set pointing to the WAN interface and the other one pointing to the secondary router.
ip route x.x.x.x "WAN-interface"
ip route x.x.x.x "secondary router"
ip route y.y.y.y "WAN-interface"
ip route y.y.y.y "secondary router"
etc.
As a result the primary router will have two routes to the branch and will load-balance. If one next-hop fails (either the WAN interface or the secondary router), only the other will be used. If the next-hop comes back up, load-balancing will resume.
The other choice would be to use EIGRP over the WAN, and make sure the two routers become EIGRP neighbors. Then you can use the "variance" command to achieve unequal cost load-balancing between the two routers. Let me know if you need more information about this, but i think static routes will be sufficient in your situation.
HTH, Thomas -
View Mapping Result between two Interface Mappings in ccBPM
Hello,
I've got a ccBPM which does two interface mappings. The second one fails. When I redo the steps manually in the Interface Mapping test mode everything works fine. Anyway, I want to get the message from the failed BPM that got out of the first interface mapping, which worked fine in the BPM as well, before entering the second.
Where can I get that message? In Monitoring I can only find messages that got sent.
Thanks for you help!
Regards,
DirkHi,
Please check in Runtime Workbench.
Go to Adapter Engine --> Component Monitoring
Now select your Adapter.
Use Filter and below you will find message ids.
select one and you can see the audit log..where your appln fails.
You can also use SXMB_MONI.
Select the message giving error and in that goto outbound tab..click on link...select view details image button...select the component with error and go to container tab of it....there you will find trace entry....where log of your error will be stored..
Hope it helps.
Best Of Luck
Akhil
Edited by: Akhil Rastogi on Mar 18, 2008 11:08 AM -
VSM with NAT Between two ASR routers
We are new to the ASR platform and IOS XR. We have two new ASR 9006's with the VSM module. These two routers are not yet in production so we can play around with them. We will be moving the NAT functionality from our firewalls to these two routers. Is it possible for these two routers to share NAT translations? It is entirely possible that outbound traffic could be NAT'ed out one of these ASR's and the return traffic come through the other ASR. In this scenario how is the NAT translation handled? I've not had much luck finding documentation on this specific topic.
Thanks,
MarcHi,
To my understanding its not possible to connect to an ASA interface through interface other than the interface where the IP address is located.
In other words you are not able to connect from behind "inside" to the IP address of "mgmt" interface
I will try to find you a link to some Cisco documentation stating this. (I have never really had to find it though)
- Jouni -
CISCO ASR901 BRIDGE BETWEEN 2 INTERFACES
Hi All!
I'm looking for some way to make a transparent bridge between two interfaces of a Cisco router ASR901 , is there any possibility? I ask this because I have a scenario where I would use the ASR901 to the following question :
POP01 ( ) ASR901 g0 / 6 -------- > ISG_7206
POP02 ( MPLS CLOUD ) g0 / 7 -------- > ISG_7206
POP03 ( )
The ASR901 will focus EoMPLS with other points in the network and pass on to ISG routers , ie , VLANs would have to be two ports with XConnect to a remote router , the configuration would be something like this :
interface GigabitEthernet0/6
Core description : MPLS CONC PPPOE02
no ip address
negotiation auto
hold- queue 1024 in
hold- queue 1024 in October
service instance 4095 ethernet
encapsulation dot1q 4094
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet0/7
Core description : 7206_PPPOE_01
no ip address
negotiation auto
service instance 4095 ethernet
encapsulation dot1q 4094
rewrite ingress tag pop 1 symmetric
end
L2VPN XConnect context TEST
ethernet interworking
member 201.55.127.202 1212 encapsulation mpls group TEST
member GigabitEthernet0 / 7 service -instance TEST 4095 group priority 1
member GigabitEthernet0 / 6 service -instance 4095
redundancy group delay 1 3 TEST
But without an interface that was redundant of other , what I need is the 2 interfaces in " bridge " making a XConnect to a remote router , and these 2 interfaces connected ISGs in 2 to make a balance .Hi,
This discussion is for IOS-XR related questions. You should post your question under Service Provider > MPLS.
thanks,
rivalino -
CISCO ASR901 BRIDGE BETWEEN 2 INTERFACES WITH XCONNECT
Hi All!
I'm looking for some way to make a transparent bridge between two interfaces of a Cisco router ASR901 , is there any possibility? I ask this because I have a scenario where I would use the ASR901 to the following question :
POP01 ( ) ASR901 g0 / 6 -------- > ISG_7206
POP02 ( MPLS CLOUD ) g0 / 7 -------- > ISG_7206
POP03 ( )
The ASR901 will focus EoMPLS with other points in the network and pass on to ISG routers , ie , VLANs would have to be two ports with XConnect to a remote router , the configuration would be something like this :
interface GigabitEthernet0/6
Core description : MPLS CONC PPPOE02
no ip address
negotiation auto
hold- queue 1024 in
hold- queue 1024 in October
service instance 4095 ethernet
encapsulation dot1q 4094
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet0/7
Core description : 7206_PPPOE_01
no ip address
negotiation auto
service instance 4095 ethernet
encapsulation dot1q 4094
rewrite ingress tag pop 1 symmetric
end
L2VPN XConnect context TEST
ethernet interworking
member 201.55.127.202 1212 encapsulation mpls group TEST
member GigabitEthernet0 / 7 service -instance TEST 4095 group priority 1
member GigabitEthernet0 / 6 service -instance 4095
redundancy group delay 1 3 TEST
But without an interface that was redundant of other , what I need is the 2 interfaces in " bridge " making a XConnect to a remote router , and these 2 interfaces connected ISGs in 2 to make a balance .Hello,
I do not believe that the ASR901 will do this without help from an upstream device. If I understand correctly, you want to build a bridge-domain with 3 EFPs: 2 physical ports, and one pseudowire. As of the last IOS revision that I have configured on this platform, the 901 doesn't support the pseudowire on a bridge-domain, only a service instance.
It seems to me that you would need an upstream box involved to support this.
Either:
Build 2 pseudowires to an upstream box that supports this configuration (like an ME 3600x, ME3800x, or 9k).
or
Associate both service instances to a common bridge domain that is extended to an upstream box that is initiating the pseudowire. More platforms would support this, since it does not require supporting the pseudowire on a bridge domain.
...Unless you are looking to build an LACP channel-group on the interfaces connected to the ISGs to load-balance. The 901 supports LACP, and it also supports building an EFP (service instance) on the channel-group interface. This technically makes the 2 physical interfaces one EFP. The part of this that I have not tried is building a pseudowire on an EFP on a channel-group.
Hope this helps.
Jason -
Problems getting static NAT to work between two internal lans
Hi, I'm trying the old problem of routing between two internal LANs. This on cli 8.6(1)2. I have three interfaces/LANs; outside is to the internet, inside is the rack in the datacentre and office is a dedicated ethernet link to our office. What I want to do is allow all (for now) traffic betrween office and inside. There's a million hits on this on the 'net but I can't get it to work. Packet trace shows packets accepted from office to inside but blocked from inside to office. Both static nats are set up identically. Here's the output of show nat after packet traces in both directions. It clearly shows that inside to office isn't hitting the nat policy. I enclose what I think are the relevant bits of my config. Full config less passwords + crypto attached.
Manual NAT Policies (Section 1)
1 (office) to (inside) source static inside-office inside-office destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 3
2 (inside) to (office) source static inside-ld5 inside-ld5 destination static inside-office inside-office no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
interface GigabitEthernet0/0
nameif inside-ld5
security-level 100
ip address 10.20.15.2 255.255.255.0
interface GigabitEthernet0/6
nameif office
security-level 100
ip address 10.20.11.9 255.255.255.0
object network inside-ld5
subnet 10.20.15.0 255.255.255.0
object network inside-office
subnet 10.20.11.0 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
nat (office,inside) source static inside-office inside-office destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
nat (inside,office) source static inside-ld5 inside-ld5 destination static inside-office inside-office no-proxy-arp route-lookupHi Kevin,
because your interfaces inside and office are in same security level and you have enabled same-security-traffic permit inter-interface, traffic should simply flow between this interfaces. So i think you don't need NAT between this two subnets if there is not other reason to do so.
Then you just configure ACL which will permit traffic you want between this LANs. In this case both netwroks are directly conneted so routing should work(instead of NAT).
Best Regards,
Jan -
Static NAT and same IP address for two interfaces
We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
static (inside,Outside) 10.10.10.10 access-list inside_nat_static_1
static (production,Outside) 10.10.10.10 access-list production_nat_static_1
Thanks for any help.
JeffHi Jeff,
Unfortunately this cannot be done, on the ASA packet classification is done on the basis of mac-address, destination nat and route, and here you are confusing the firewall, to which interface does the ip belong to. I haven't ever tried to do it, but it should cause you issues.
Thanks,
Varun Rao
Security Team,
Cisco TAC -
Static NAT with two outside interfaces
I have a router, which performs NAT on two outside interfaces with load balancing and had a task to allow inbound connection to be forwarded to the specific host inside on a well known port.
here is example
interface Fas0/0
ip nat outside
interface Fas0/1
ip nat outside
interface Vlan1
ip nat inside
ip nat inside source route-map rm_isp1 pool pool_isp1
ip nat inside source route-map rm_isp2 pool pool_isp2
all worked fine
then i tried to add static nat
ip nat inside source static tcp 10.0.0.1 25 interface Fas0/0 25
ip nat inside source static tcp 10.0.0.1 25 interface Fas0/1 25
and in result only last static NAT line appeared in config.
the solution was to use interface's IPs instead of names. that helped but isn't that a bug?In this scenario, we are trying to access a mail server located at
10.0.0.1 from outside and we have two outside IP, let's say, 71.1.1.1 and
69.1.1.1.
With CEF Enabled
Packet comes in to Fa0/0 interface with Source IP 66.x.x.x and
Destination IP 71.1.1.1. Our NAT rule translates this to 10.0.0.1.
Packet goes to 10.0.0.1. The return packet goes to the LAN interface
first and the routing rule is determined *before* the packet is
translated.
Packet source IP at this point is 10.0.0.1 and destination is
66.x.x.x. Now, based on CEF, it will go out via Fa0/0 or Fa0/1,
irrespective of the way it came in. Because of this, with CEF enabled
this will not work. CEF is per-destination.
So, let's say somebody on outside tried to access this server using 71.1.1.1, then he would
expect a reply from 71.1.1.1 which may or may not be true as the traffic could be Nat'd to 69.1.1.1 or 71.1.1.1.
If it gets reply packet from 71.1.1.1, it should work.
If it gets it from 69.1.1.1, it will simply drop it as it never sent a
packet to 69.1.1.1.
With CEF and Fast Switching Disabled
Same steps as above, only that the packet is sent to the process level
to be routed. At this point, the packets will be sent out in a round
robin fashion. One packet will go out via the Fa0/0 and the other via the
Fa0/0. This will have a constant 50% packet loss and is also not a
viable solution.
So, what are you trying to achieve is not possible on Cisco router.
HTH,
Amit Aneja -
How to route traffic between two different interfaces
Hi,
I need to setup a routing between two different interfaces on a host.
Inferface ce1 : 192.168.120.12
Inteface ce2 : 192.168.110.50
Is it possible to add a route which enables the ce2 interface to catch packets from the ce1 interface ?
Regards,
ArminThe problem is a application which is only able to listen on one interface.
To fix this, I have to make all packages visible on one interface. -
NAT, DMZ single interface two firewalls... Create Edge topology
Hello,
I have a two firewall DMZ so I'm strugging to understand why the toplogy builder is asking me for the "Internal" IP of the edge server... the edge server is not internal (by design) it's in the perimeter network (DMZ) it does not
have an internal interface nor am I interested in giving it one (that's why I have firewalls).... Its NAT'd..
Is this explained somewhere ? How do I setup the topology wizard to understand my firewall configuration.. I see the NAT'd external IP.. obviously that's on the public side...
Thanks for help,
Steve LithgowAnthony's two posts win the PRIZE ! Ben get's runner-up !
It still baffles me why it is necessary to have an additional network in my DMZ. You are not increasing your level of security by increasing the complexity (security by obfuscation). The internal network can have persistent routes to the
DMZ IP of the Edge Server as well as firewall rules governing traffic by source IP to the internal network from the DMZ. A host with two interfaces that becomes compromised is no more secure than one with a single interface. Our firewall rules
are not based on "networks" to from DMZ.. they are based on source/destination IP's.
So basically.. my point is MS should not ASSume a particular firewall configuration and force this via the Topology builder... just my .02
Can anyone tell me if MS is doing some memory level protection in the Edge server to that masks the external facing process from internal ones or something really special? My guess is that the edge server is NOT ISA/TMG so......
To someone else's point.. that stated "You don't want the edge server to be your firewall" my response is you dang right ! But... in essence that is what you are doing by placing an internal interface on the edge server , firewall rules/routes
or not. That is what you are doing is creating a firewall leg on the edge server.
Thanks for all then FAST help ! Though I 'm still shaking my head a bit....
Steve Lithgow -
'Only' NAT'd Traffic Allowed Between ASA Interfaces
I've just setup (2) ASAs. In doing so, I've run into the same problem on each one (i.e., I must configure NAT on each interface for the traffic to flow between them)
Accordingly to my literature and videos I've been through, I should not have to perform NAT for the traffic to move between the different interfaces.
Questions:
What have I done wrong?
What do I need to do to have this run as I expected it would (*without NAT)? While it appears harmless to have it setup this way, it just doesn't look 'clean' to me.
Notes about my configurations:
Same security level traffic is permitted
All interfaces have their security levels set to 100
I've reset the ACLs to allow all traffic as well (*this is a lab)
All tcp-udp traffic is inspected by default on ASAs
Many thanks.
FredNAT-Control: NA, deprecated.
Without Nat-Control: As I mentioned previously, I must use NAT, or the traffic will not flow between interfaces. This is my problem. It doesn't make sense that I should need to use NAT for traffic to flow between the different interfaces.
Notes about my configurations:
Same security level traffic is permitted
All interfaces have their security levels set to 100
I've reset the ACLs to allow all traffic as well (*this is a lab)
All tcp-udp traffic is inspected by default on ASAs
Questions:
What have I done wrong?
What do I need to do to have this run as I expected it would (*without NAT)? While it appears harmless to have it setup this way, it just doesn't look 'clean' to me. -
Shareable Interface between two RMI based applets
Hello! I am developing a project in simulation environment (cref) in Java Card and I have one problem.
First of all I have create two RMI based applets and I want to make one of these applets to implement a shareable interface.
As we know a classical RMI based applet has three parts: one interface that extends Remote interface (lets call it ApplicationRemoteInt),
one class that implements the previous interface (ApplicationImpl) and one class that extends javacard.framework.Applet which manipulates
ApplicationImpl (ApplicationApplet).
My problem is that I don't know which of these three programs (make it two, I don't think i could be
ApplicationRemoteInt) have to implement an another Interface, which extends Shareable Interface (ApplicationShareable), and in which way.
Also I think that the ApplicationShareable must be implemented by an Applet class.
As you see I am confused, can anyone help me, please?
Thank you in advance, Bill.Thank you very much for your response. I had knowledge about Shareable Interfaces between two traditional applets,
BUT not between two RMI based applications.
Finally I found that RMI based application does not support shareable interface:
http://forum.java.sun.com/thread.jspa?threadID=728540&messageID=4194658
Thank you for your reply anyway, Bill. -
Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic
hello,
i am setting up a site to site vpn between two asa 5505's. the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point. i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated. i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
FYI the asa's are different versions, one is 9.2 the other is 8.2
Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
Site A running config:
Result of the command: "sh run"
: Saved
ASA Version 8.2(2)
hostname csol-asa
enable password WI19w3dXj6ANP8c6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.0 san_antonio_inside
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 24.93.41.125
name-server 24.93.41.126
object-group network NETWORK_OBJ_192.168.2.0_24
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in_1 extended permit icmp any interface outside
access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
access-list outside_access_in_1 extended permit tcp any interface outside eq www
access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 2.2.2.2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_1_cryptomap_1
crypto map outside_map1 1 set peer 2.2.2.2
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.30-192.168.2.155 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain corporatesolutionsfw.local interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:021cf43a4211a99232849372c380dda2
: end
Site A sh crypto isakmp sa:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Site A sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: C1074C40
current inbound spi : B21273A9
inbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914989/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914999/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Site B running config:
Result of the command: "sh run"
: Saved
: Serial Number: JMX184640WY
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.2(2)4
hostname CSOLSAASA
enable password WI19w3dXj6ANP8c6 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
ftp mode passive
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network mcallen_network
subnet 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set peer 1.1.1.1
crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map3 interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.200-192.168.1.250 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain CSOLSA.LOCAL interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
: end
Site B sh crypto isakmp sa:
Result of the command: "sh crypto isakmp sa"
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
Site B sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B21273A9
current inbound spi : C1074C40
inbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373999/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000003
outbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373987/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Hi Keegan,
Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
I would suggest to do a 'clear xlate'? Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
HTH
"Please rate useful posts"
Maybe you are looking for
-
Lets say I have to insert a new record into a TESTTABLE manually when user presses a button. I put the code in when-button-press trigger /code insert into table..values... set_record_property(1,block, status_changed); -- mark the block as changed /co
-
I deleted the sign-in tab in Ctrl-Tab 0.21.1. How do I get it back?
I installed Ctrl-tab 0.21.1. Initially there were several tabs prefilled, one of which, was for sign-in. I made a mistake and deleted it and now I want to recover it. How do I do this? Thank you. Marsh
-
My ipod touch will not sync on new pc.
My ipod touch will not sync. All connections are ok when I run diagnostics. I have created a new apple id and account after installing itunes on the new pc. Please help.
-
Sound for games doesn't work on iPad 2
Sound works on iPad 2 for everything except games. Is there some special way to get sound for games to work?
-
New WD Passort drive loses connection
I'm a new iMac user. I've had my iMac for just under 3 months. About a month ago, I purchased a Western Digital My Passport Studio external drive from my local Apple store. It's connected via the FireWire 800 cable. For no apparent reason, the connec