PBR on router: VPN + Internet on ADSL; static NAT on serial

Similar Messages

• Static NAT - VPN - Internet Access

  Does anyone know how to configure the following?
  1.  An static NAT from an inside ip address to another inside ip address (not physical subnet).
  2.  The traffic static Natted at the step 1 need to go into a tunnel VPN and at the same time to have internet access.
  My router just have two interfaces a WAN and a LAN.
  I just created the VPN, the static NAT and the PAT for other users of the subnet to have internet access, but the traffic static Natted just goes over the ipsec tunnel but cannot have internet access.
  I tried to apply a route map after the static nat command but since i do not have a physical interface in the same subnet were i am translating the route-map is not applied to the static nat command.
  in an extract:
  LAN traffic (specific server) --->> static nat to inside not real subnet --->> traffic goes over Tunnel (OK), but no internet access.
  BTW.  I need to configure the nat before de ipsec tunnel because both lan subnets of the ipsec tunnel endpoint are the same.

  Why do you need an inside host to be natted to another inside IP address?
  You need to configure a "no nat" policy, for the internet traffic.

• DM-VPN with Static NAT for Spoke Router. Require Expert Help

  Dear All,
              This is my first time to write something .
                           i have configure DM-VPN, and it's working fine, now i want to configure static nat.
  some people will think why need static nat if it's working fine.
  let me tell you why i need. what is my plan.
  i have HUB with 3 spoke. some time i go out side of my office and not able to access my spoke computer by Terminal Services. because its by dynamic ip address.  so what i think i'll give one Static NAT on my HUB Router that if any one or Me Hit the Real/Public IP address of my HUB WAN Interface from any other Remote location so redirect this quiry to my Terminal Service computer which located in spoke network.
  will for that i try but fail. 
  will again the suggestion will come. why not to use .. Easy VPN. well sound great. but then i have to keep my notebook with me.
  i'll also do it but now i need that how to do Static NAT. like for normal Router i am doing which is not part of VPN.
  ip nat inside source static tcp 192.168.1.10 3389 interface Dialer1 3389
  but this time  this command is not working, because the ip address which i mention it's related HUB Network not Spoke
  spose spoke Network: 192.168.2.0/24
  and i want on HUB Router:
  ip nat inside source static tcp 192.168.2.10 3389 interface Dialer1 3389
  i am using Cisco -- 887 and 877 ADSL Router.
  but it's not working,   Need experts help. please write your comment's which are very important for me. waiting for your commant's
  fore more details please see the diagram.
  for Contact Me: [email protected]

  hi rvarelac  thank you for reply :
  i allready done that ,  i put a deny statements in nat access-list excluding the vpn traffic , but the problem still there !
  crypto isakmp policy 10
   encr aes
   authentication pre-share
  crypto isakmp key 12344321 address 1.1.1.1
  crypto ipsec transform-set Remote-Site esp-aes esp-sha-hmac
   mode tunnel
  crypto map s2s 100 ipsec-isakmp
   set peer 1.1.1.1
   set transform-set Remote-Site
   match address vpnacl
  interface GigabitEthernet0/0
   crypto map s2s
  Extended IP access list lantointernet
  30 deny icmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
  40 deny igmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
  50 deny ip 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
  80 permit ip any any

• Configure RVS4000 Behind 2700-Gateway Qwest DSL Router VPN

  I have my QWEST DSL Router 2700-Gateway using a static public IP address
  This is setup to be the DHCP and assigned 192.168.0.2-50
  I need some help how to connect my RVS4000 and utilize VPN so I can connect to my work network from home. The 2700-Gateway has some features like Transparent Bridging, etc, but not sure how to me this work. Can anyone point me to article even if it's configuring with another DSL Router.
  Here is how I tried with my medium knowledge of networking...
  I have configured the RVS4000 as:
  LAN Static IP
  192.168.0.115
  Configured as DHCP Relay
  the 2700-Gateway router saw the device so:
  Configured firewall on 2700-Gateway for PORT FORWARDING:
  TCP port 1723 for PPTP tunnel maintenance traffic
  UDP port 47 Generic Routing Encapsulation (GRE)
  UDP port 500 for Internet Key Exchange (IKE) traffic
  UDP port 1701 for L2TP traffic
  --> 192.168.0.115
  This did not work.

  gv,
  Thanks for your help. I discovered the EasyVPN works quite differently then I expected a IPSec to work. Thanks for the suggestions. I documented my finding and procedure below.
  The answer was to use the transparent bridging setting on my DSL modem model 2Wire GATEWAYHG-2700 and and turn off Search PCV,  then setup the PPPoE on the RVS4000 VPN router to accept and authenticate my public IP address.
  Once I had the modem and router configured, I then had my RVS4000 VPN router ready to test VPN client. The documentation is vague. But after doing some research on here and having some difficulty:
  My Finding:
  I already had latest Firmware 1.109 from purchase
  On the client, I discovered from reading that the EasyVPN uses 443. Well I have this forwarding to a exchange server to utilize RPC/HTTPS with outlook. This turns out that it was fixed with the lastest firmware
  The new firmware allows this, as they fixed the vpn listening port override to port 60443..
  I port forwarded this to my router gateway 192.168.1.1
  In order to use this port, you must have the lastest client from the downloads at RVS4000 version. 1.10 which adds a drop box Auto/443/60433. I found auto and 60443 to work with my configuration.
  This configuration let me connect successfully.
  If you read the readme that's included with the EasyVPN client download, you have to export the client cert under VPN, and copy the file *.pem to the root folder of the vpn client.exe stated in readme to get rid of the security popup. This worked for me.
  So everything seems to be connecting.. But know get "The remote gateway is not responding" popup.  I tried the suggested MTU setting with no luck.
  After establishing a network share under map drive, this seems to have stop responding as well once this popup occurs.
  Things like this should just not be so hard..
  So I found this post in regards to my problem and hoping to here if anyone else has found a solution or work around here. Good night, some things are just not worth staying up late for,
  http://forums.linksys.com/linksys/board/message?board.id=Wired_Routers&message.id=13651#M13651
  Message Edited by MOTOGEEK on 12-10-2007 11:01 PM
  Message Edited by MOTOGEEK on 12-10-2007 11:04 PM
  Message Edited by MOTOGEEK on 12-10-2007 11:05 PM

• Static NAT (in and out) and PAT on a Router

  Static NAT and PAT
  I need to have a customer network connected to my extranet.
  I’m not in control of the customer network addressing. But need to configure a VPN connection.
  I will supply the router that will also be the customer Firewall to the Internet (PAT).
  (1) I need to be able to do PAT on traffic from internal hosts to the Internet.
  (2) I need to hide (NAT) the customer network behind a network supplied by me (match-host), when they are accessing my extranet (through VPN).
  (3) I need to be able to access hosts on the customer network, through the hiding (NAT) addresses from my extranet (through VPN).
  The following configuration will solve (1) & (2), but I can not (3) reach the internal servers from my extranet, except if the internal host has made connection to the extranet, witch will create a translate entry in the NAT table.
  Extranet is: 172.16.16.0/24
  Internal net is: 192.168.1.0/24
  interface Vlan1
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  interface FastEthernet4
  ip address 1.1.1.1
  ip nat outside
  access-list 175 deny 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255
  access-list 175 permit 192.168.1.0 0.0.0.255 any
  access-list 176 permit 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255
  ip nat pool FRO 10.192.10.1 10.192.10.254 netmask 255.255.255.0 type match-host
  ip nat inside source list 175 interface FastEthernet4 overload
  ip nat inside source route-map HIDE pool FRO reversible
  route-map HIDE permit 10
  match ip address 176

  Create a NAT configuration in the router which also translates even your outside Global address(your extranet) into the inside Global(any private) address through the keyword "rotary".Only this rotary pool will provide the pool of inside global IP address for yopur outside Global IP addresses.
  The following white paper will provide you with the required information,
  http://www.cisco.com/en/US/products/ps6640/products_white_paper09186a0080091cb9.shtml

• 2851 router vpn to 851 router lan clients cannot ping

  Greets - I'm expanding my lab experience by adding a 2851 router to my mix of 18xx and 851/871 units. Some of this infrastructure is in production, some just lab work. I have established good connectivity between 18xx's and 851/871's with IPSEC VPNs (site-to-site static and dynamic), but my problem is with adding in a 2851.
  Setup: 2851 with 12.4 ADVENTK9, WAN on GE0/0 as 216.189.223.bbb/26, LAN on GE0/1 as 172.20.0.1/20 (VPN module, but no additional HWIC modules)
  851 with 12.4 ADVENTK9, WAN on FE4 as 216.53.254.aaa/24, LAN on FE0..3 via BVI1 as 172.21.1.1/24
  The two router WAN ports are bridged via a 3rd router (a Zywall with 216.0.0.0/8 route, with the router at 216.1.1.1) affectionately called the "InterNOT", which provides a surrogate to the great web, minus actual other hosts and dns, but it doesn't matter. As both my WAN addresses are within 216.x.x.x, this works quite well. This surrogate has tested fine and is known to not be part of a problem.
  The 851 has been tested against another 851 with complementary setup and a successful VPN can run between the two.
  I have good LAN-WAN connections on each router. I do have a "Good" VPN connection between the two routers.
  The problem: I cannot ping from a LAN host on 172.20.x.x on the 2851 to any 172.21.1.x (eg 172.21.1.1) host on the 851, and vice versa.
  From a LAN host, I can ping to my InterNOT - for example a dhcp host 172.20.6.2 on the 2851 LAN can ping 216.1.1.1 fine. I can also ping the 851's WAN address at 216.53.254.aaa.
  To complicate matters, if I connect to the routers via console, I CAN ping across the vpn to the destination LAN hosts, in both directions.
  This seems to indicate that there is a bridging problem between the LAN interfaces to the VPN interfaces. I suspect this is a config problem on the 2851, as I have had a similar config working on my 851 to 851 site-to-site setups. I also suspect it is in the 2851's config as I'm still just starting out with this particular router.
  So some stripped-down configs:
  For the 2851:
  no service config
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname router2851
  boot-start-marker
  boot-end-marker
  no logging buffered
  no logging console
  enable password mypassword2
  no aaa new-model
  dot11 syslog
  no ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 172.20.0.1 172.20.6.1
  ip dhcp excluded-address 172.20.6.254 172.20.15.254
  ip dhcp pool Internal_2000
     import all
     network 172.20.0.0 255.255.240.0
     domain-name myseconddomain.int
     default-router 172.20.0.1
     lease 7
  no ip domain lookup
  multilink bundle-name authenticated
  voice-card 0
   no dspfarm
  crypto pki <<truncated>>
  crypto pki certificate chain TP-self-signed-2995823027
   <<truncated>>
        quit
  username myusername privilege 15 password 0 mypassword2
  archive
   log config
    hidekeys
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 2
  crypto isakmp key mysharedkey address 216.53.254.aaa
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map SDM_CMAP_1 1 ipsec-isakmp
   description Tunnel to216.53.254.aaa
   set peer 216.53.254.aaa
   set transform-set ESP-3DES-SHA
   match address 100
  interface GigabitEthernet0/0
   description $ETH-WAN$
   ip address 216.189.223.bbb 255.255.255.192
   ip nat outside
   ip virtual-reassembly
   duplex auto
   speed auto
   crypto map SDM_CMAP_1
   no shut
  interface GigabitEthernet0/1
   description $FW_INSIDE$$ETH-LAN$
   ip address 172.20.0.1 255.255.240.0
   ip nat inside
   ip virtual-reassembly
   no ip route-cache
   duplex auto
   speed auto
   no mop enabled
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
  ip http server
  ip http authentication local
  ip http secure-server
  ip dns server
  ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 172.20.0.0 0.0.15.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 remark IPSec Rule
  access-list 100 permit ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=2
  access-list 101 remark IPSec Rule
  access-list 101 deny   ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
  access-list 101 permit ip 172.20.0.0 0.0.15.255 any
  route-map SDM_RMAP_1 permit 1
   match ip address 101
  control-plane
  banner motd ~This is a private computer system for authorized use only. And Stuff~
  line con 0
  line aux 0
  line vty 0 4
   privilege level 15
   password mypassword
   login local
   transport input telnet ssh
  scheduler allocate 20000 1000
  end
  And for the 851:
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname router851
  boot-start-marker
  boot-end-marker
  logging buffered 52000 debugging
  no logging console
  enable password mypassword
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  resource policy
  clock timezone PCTime -5
  clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
  no ip dhcp use vrf connected
  ip dhcp excluded-address 172.21.1.1 172.21.1.100
  ip dhcp pool Internal_2101
     import all
     network 172.21.1.0 255.255.255.0
     default-router 172.21.1.1
     domain-name mydomain.int
     dns-server 172.21.1.10
     lease 4
  ip cef
  ip domain name mydomain.int
  ip name-server 172.21.1.10
  crypto pki <<truncated>>
  crypto pki certificate chain TP-self-signed-3077836316
   <<truncated>>
    quit
  username myusername privilege 15 password 0 mypassword2
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 2
  crypto isakmp key mysharedkey address 216.189.223.aaa
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
  crypto map SDM_CMAP_1 1 ipsec-isakmp
   description Tunnel to216.189.223.bbb
   set peer 216.189.223.bbb
   set transform-set ESP-3DES-SHA2
   match address 100
  bridge irb
  interface FastEthernet0
   spanning-tree portfast
  interface FastEthernet1
   spanning-tree portfast
  interface FastEthernet2
   spanning-tree portfast
  interface FastEthernet3
   spanning-tree portfast
  interface FastEthernet4
   description $ETH-WAN$
   ip address 216.53.254.aaa 255.255.254.0
   ip nat outside
   ip virtual-reassembly
   ip tcp adjust-mss 1460
   duplex auto
   speed auto
   no cdp enable
   crypto map SDM_CMAP_1
   no shut
  interface Vlan1
   description Internal Network
   no ip address
   ip nat inside
   ip virtual-reassembly
   bridge-group 1
   bridge-group 1 spanning-disabled
  interface BVI1
   description Bridge to Internal Network
   ip address 172.21.1.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly
  ip route 0.0.0.0 0.0.0.0 FastEthernet4
  ip route 172.21.1.0 255.255.255.0 BVI1
  ip http server
  ip http secure-server
  ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 172.21.1.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 remark IPSec Rule
  access-list 100 permit ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
  access-list 101 remark CCP_ACL Category=2
  access-list 101 remark IPSec Rule
  access-list 101 deny   ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
  access-list 101 remark IPSec Rule
  access-list 101 deny   ip 172.21.1.0 0.0.0.255 172.21.101.0 0.0.0.31
  access-list 101 permit ip 172.21.1.0 0.0.0.255 any
  route-map SDM_RMAP_1 permit 1
   match ip address 101
  control-plane
  bridge 1 route ip
  banner motd ~This is a private computer system for authorized use only. And Stuff.~
  line con 0
   password mypassword
   no modem enable
  line aux 0
  line vty 0 4
   password mypassword
  scheduler max-task-time 5000
  end
  Note that the above are somewhat stripped-down configs, without firewall or WAN ACL's - interestingly my default WAN-Inbound ACLs seem to break connectivity when included, so I realize I have some more cleanup to do there, but the 2851 LAN bridging seems to be what I should concentrate on first.
  I'm still googling some of the particulars with the 2851, but any assistance is appreciated.
  Regards,
  Ted.

  Hi,
  First,please delete NAT.If we configured the NAT in the RRAS,the source IP address in all packets sent to 192.168.1.0/24 would be translated to 192.168.1.224.
  Second,please enable the LAN routing in RRAS server.To enable LAN routing,please follow the steps below,
  1.In the RRAS server,Open Routing and Remote Access.
  2.Right-click the server name,then click
  properties.
  3.On the General tab,select
  IPv4 Router check box,and then click Local area network(LAN) routing only.
  Then,announce the 172.16.0.0 network to the router.
  To learn more details about enabling LAN routing, please refer to the link below,
  http://technet.microsoft.com/en-us/library/dd458974.aspx
  Best Regards,
  Tina

• Static-nat and vpn tunnel bound traffic from same private address?

  Hi guys,
  I have site-to-site tunnel local host @192.168.0.250 and remote-host @172.16.3.3.
  For this local host @192.168.0.250, I also have a static one-to-one private to public.
  static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
  As you can see, IPSec SA shows end-points in question and traffic is being decrypted but not encrypted host traffic never enter into the tunnel, why?
  How can I resolve this problem, without complicating the setup ?
  BurlingtonASA1# packet-tracer input mgmt-192 icmp 192.168.0.250 8 0 172.16.3.3
  Phase: 1
  Type: CAPTURE
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  MAC Access list
  Phase: 2
  Type: ACCESS-LIST
  Subtype: 
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         outside-50
  Phase: 4
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.0.0     255.255.255.0   mgmt-192
  Phase: 5
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group mgmt_intf in interface mgmt-192
  access-list mgmt_intf extended permit icmp any any 
  access-list mgmt_intf remark *** Permit Event02 access to DMZ Intf ***
  Additional Information:
  Phase: 6
  Type: IP-OPTIONS
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: NAT-EXEMPT
  Subtype: 
  Result: ALLOW
  Config:
  nat-control
    match ip mgmt-192 host 192.168.0.250 outside-50 host 172.16.3.3
      NAT exempt
      translate_hits = 5, untranslate_hits = 0
  Additional Information:
  Phase: 9
  Type: NAT
  Subtype: 
  Result: ALLOW
  Config:
  static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255 
  nat-control
    match ip mgmt-192 host 192.168.0.250 outside-50 any
      static translation to 216.9.50.250
      translate_hits = 25508, untranslate_hits = 7689
  Additional Information:
  Phase: 10
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (mgmt-192,dmz2-172) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 
  nat-control
    match ip mgmt-192 192.168.0.0 255.255.255.0 dmz2-172 any
      static translation to 192.168.0.0
      translate_hits = 28867754, untranslate_hits = 29774713
  Additional Information:
  Phase: 11
  Type: VPN
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 12
  Type: FLOW-CREATION
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 1623623685, packet dispatched to next module
  Result:
  input-interface: mgmt-192
  input-status: up
  input-line-status: up
  output-interface: outside-50
  output-status: up
  output-line-status: up
  Action: allow
  BurlingtonASA1# 
  Crypto map tag: map1, seq num: 4, local addr: 216.9.50.4
        access-list newvpn extended permit ip host 192.168.0.250 host 172.16.3.3 
        local ident (addr/mask/prot/port): (192.168.0.250/255.255.255.255/0/0)
        remote ident (addr/mask/prot/port): (172.16.3.3/255.255.255.255/0/0)
        current_peer: 216.9.62.4
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 216.9.50.4, remote crypto endpt.: 216.9.62.4
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 37CA63F1
        current inbound spi : 461C843C
      inbound esp sas:
        spi: 0x461C843C (1176273980)
           transform: esp-aes-256 esp-sha-hmac no compression 
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 77398016, crypto-map: map1
           sa timing: remaining key lifetime (kB/sec): (3914997/25972)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap: 
            0x003FFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0x37CA63F1 (936010737)
           transform: esp-aes-256 esp-sha-hmac no compression 
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 77398016, crypto-map: map1
           sa timing: remaining key lifetime (kB/sec): (3915000/25972)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap: 
            0x00000000 0x00000001

  Hi
  intersting VPN ACL
  object-group network DM_INLINE_NETWORK_18
       network-object YYY.YYY.YYY.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_22
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
  Static NAT
  static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
  No NAT
  object-group network DM_INLINE_NETWORK_20
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
  VPN CLient Pool
  No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
  I hope this helps
  Thanks

• Static Policy NAT in VPN conflicts with Static NAT

  I have a situation where I need to create a site-to-site VPN between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises in that the LAN behind the Cisco ASA has the same subnet as a currently existing VPN created on the Sonicwall. Since the Sonicwall can't have two VPNs both going to the same subnet, the solution is to use policy NAT on the ASA so that to the Sonicwall, the new VPN appears to have a different subnet.
  The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a VPN created to a different client with that same subnet). I am trying to translate that to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The pertinent configuration of the ASA is:
  interface Vlan1
  ip address 192.168.10.1 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.24.0 255.255.255.0 10.159.0.0 255.255.255.0
  access-list VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
  static (inside,outside) 192.168.24.0 access-list VPN
  crypto map outside_map 1 match address outside_1_cryptomap
  In addition to this, there are other static NAT statements and their associated ACLs that allow certain traffic through the firewall to the server, e.g.:
  static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
  The problem is this: When I enter the static policy NAT statement, I get the message "Warning: real-address conflict with existing static" and then it refers to each of the static NAT statements that translate the outside address to the server. I thought about this, and it seemed to me that the problem was that the policy NAT statement needed to be the first NAT statement (it is last) so that it would be handled first and all traffic destined for the VPN tunnel to the Sonicwall (destination 10.159.0.0/24) would be correctly handled. If I left it as the last statement, then the other static NAT statements would prevent some traffic destined for the 10.159.0.0/24 network from being correctly routed through the VPN.
  So I tried first to move my policy NAT statement up in the ASDM GUI. However, moving that statement was not permitted. Then I tried deleting the five static NAT statements that point to the server (one example is above) and then recreating them, hoping that would then move the policy NAT statement to the top. This also failed.
  What am I missing?

  Hi,
  To be honest it should work in the way I mentioned. I am not sure why it would change the order of the NAT configurations. I have run into this situation on some ASA firewalls running the older software (older than 8.2) and the reordering of the configurations has always worked.
  So I am not sure are we looking at some bug or what the problem is.
  I was wondering if one solution would be to configure all of the Static NAT / Static PAT as Static Policy NAT/PAT
  I have gotten a bit rusty on the older (8.2 and older) NAT configuration format as over 90% of our customer firewalls are running 8.3+ software.
  I was thinking of this kind of "static" configuration for the existing Static PAT configurations if you want to try
  access-list STATICPAT-SMTP permit tcp host eq smtp any
  static (inside,outside) tcp interface smtp access-list STATICPAT-SMTP
  access-list STATICPAT-HTTPS permit tcp host eq https any
  static (inside,outside) tcp interface https access-list STATICPAT-HTTPS
  access-list STATICPAT-RDP permit tcp host eq 3389 any
  static (inside,outside) tcp interface 3389 access-list STATICPAT-RDP
  access-list STATICPAT-TCP4125 permit tcp host eq 4125 any
  static (inside,outside) tcp interface 4125 access-list STATICPAT-TCP4125
  access-list STATICPAT-POP3 permit tcp host eq pop3 any
  static (inside,outside) tcp interface pop3 access-list STATICPAT-POP3
  Naturally you would add the Static Policy NAT for the VPN first.
  Again I have to say that I am not 100% sure if this was is the correct format maybe you can test it with a single service that has a Static PAT. For example the Static PAT for RDP (TCP/3389). First entering the Static Policy NAT then removing the Static PAT and then entering the Static Policy PAT.
  Remember that you should be able to test the translations with the "packet-tracer" command
  For example
  packet-tracer input outside tcp 1.1.1.1 12345
  - Jouni

• Static NAT and IPSec VPN

  This maybe stupid but may somebody help on this.
  Site A --- Internet --- Site B
  An IPSec VPN is implemented between Site A and Site B. Some "nat 0" commands are used on Site A PIX to avoid addresses being translated when communicating with site B.
  But now there is a problem, there are several public servers which have static NAT entries by "static" command. And it looks like these entry will still be valid even if the "nat 0" is presenting. And thus those inside IPs which have a static NAT, will be translated once it reaches the PIX and can not go via the VPN tunnel.
  May someone advise me how to overcome this? Thanks.

  Your question really pertains to the nat order of operations. Nat 0 (nat exemption) is first in the order. It preceeds all other including static nat. The servers you mention will absolutely be included in the nat 0 unless they are specifically denied in the nat 0 acl.

• Router-to-Router VPN Security

  Hi there,
  Should we worry about the the security on router-to-router VPN over internet (IPSec) ?
  We have two offices.
  Office A has Cisco 2811 router (internal, private) and ASA 5510 firewall.
  Office B has Cisco 2821 router (internal, private) and ASA 5505 firewall.
  Office B has private subnets that extend to 7 hops away. (running RIP)
  If we want to set up a site-to-stie VPN between these two offices, should we set it up on ASA's or routers?
  If we set up VPN on routers, does that mean we need to connect one interface to the internet on each router and suffer from Internet attacks?
  How do we defend our routers then?
  Thanks in advance!
  -Andrew

  Hi,
  when it comes to site to site vpn I usually prefer routers. Whith a little bit of tweaking NAT and routing you should be able to operate a public address on the routers even if they are behind the firewall.
  The advantage of IOS based VPN is e.g. the possibility of routing protocols through the VPN tunnels which would give another level of resiliency. Configure tunnel interfaces on the routers with a tunnel mode IPsec and a tunnel protection profile. You can then run e.g. EIGRP to find a possible alternate path if one of the tunnels fails. Its much easier than anything I can think of on the ASA.
  Rgds, MiKa

• Upgrading Internet from ADSL to VDSL

  I currently connect all my Apple equipment to an Airport Extreme to provide my home network. The Airport connects buy cable  to my ISP provided router forr internet access ( with wireless access disabled) . If I upgrade my ADSL line to VDSL will I still be able to use the same system and will I still get the speed increases VDSL should provide?  I currently receive around 3500 mbps broadband so I'm hoping to see a good speed increase with VDSL:.

  Welcome,
  I've done just this about 9 months ago. I had to replace my router as the old one only supported ADSL2+.
  I certainly get a vastly upgraded speed - I can now get 37Mbps up.17Mbps down on my iPhone via Airport and 70Mbps via iMac wired.
  I have turned OFF the WiFi provided by my Netgear WRN2000 router and just use Airports for my WiFi.
  I assume you mean 3500 bps by the way!
  Regards,
  Shawn

• VPN Server under Static NAT. Any advices?

  Hi there,
  Is it possible to setup a VPN server in DMZ under a static NAT translation? I have 2911 as an edge router, another 2951 as a firewall with four zones - inside1, inside2, outside, dmz. All IP addressing between edge and firewall is private. The web and mail servers are working in DMZ under static NAT. The question is - can I also setup VPN server in DMZ under the static NAT? The clients establishing VPN tunnels will work with DMZ servers (other servers) only. Thanks!

  We featured your question on the Cisco Support Community Facebook page. Check out some of the responses here: http://www.facebook.com/CiscoSupportCommunity/posts/269198139851698
  Posted by WebUser Cisco NetPro from Cisco Support Community App

• DMVPN Hub router with static NAT

  Hi everyone,
  I'm trying to setup a lab enviroment to stablish a DMVPN. I have two routers CISCO 2811, IOS version 12.4(3j). I need to configure those routers to stablish a DMVPN. For the spoke router, I have have an ISP that provides dynamic addressing. For the hub router, I have a public static IP address assignde by the ISP. But I have a Watchguard firewall in the middle doing static 1-to-1 NAT for that address. Now the questions are:
  1) Can I stablish the DMVPN between the routers with that firewall in the middle?
  2) In case it is possible, what will the physical hub address be? And is there something I need to change on the firewall configuration?
  3) In case it isn't possible, what other options do I have to stablish a VPN tunnel between the routers in those conditions?
  Is there is anything else you need to know to understand the situation, please ask. I haven't configure neither of the routers yet, because I think I need to be sure of these concepts first. Thanks for any help you could bring.
  Gustavo

  !

• My WRT54G v5 router loses internet connection frequently

  My WRT54G v5 router loses internet connection frequently. Sometimes occurs when you enter a web or sometimes every few minutes, but without a pattern. I have W XP Pro with SP3 and I have a pc wired to the router and sometimes 2 notebook with Wi-Fi. What could be the problem?. Thank you very much.

  I have upgraded the firmware to v 1.02.8 and reduced the MTU to 1350 but after a few minutes of doing that I had the same problem... The router reboots itself, again and again and again...
  It's possible to run some diagnostic utility that somebody can check ??  
  It's possible it would be a router failure ??
  I note that sometimes is ok and when Entering some web pages the router reboots itself and I loose my internet connection, but others, the router reboots for no apparent reason...
  I dont know what to do...

• H323 static Nat doesn't work fine on 3900 series router with IOS 15.2(3) T

  Hi,
  I have a problem with static nat setting on my 3925 router with IOS15.2(3). The scenario is like this:
  I set a static nat between 172.16.1.2 and x.x.x.x(public IP address) using following command:
  ip nat inside source static 172.16.1.2 x.x.x.x
  The intranet IP address is set on a video conference system from Huawei, after setting all these things, ping works fine to this public IP address, but video conference cannot be built. I tried same setting using another 2811 router with IOS12.4 and it worked fine. Which means the problem should be isolated to this 3925 router. Full config is also attached, sorry that I elimated the public IP address and use other characters instead.
  Additionally, I debugged ip natting and I see following information when making video calls:
  router#debug ip nat h323
  IP NAT H323 debugging is on
  router#                
  *Jul 10 09:11:07.343: NAT[0]: H323: received pak, payload_len=0
  *Jul 10 09:11:07.343: [NAT[0]: H323 ACK packet ? FALSE
  *Jul 10 09:16:15.731: NAT[1]: H323: received pak, payload_len=0
  *Jul 10 09:16:15.731: [NAT[1]: H323 ACK packet ? FALSE
  *Jul 10 09:16:57.215: NAT[1]: H323: received pak, payload_len=0
  *Jul 10 09:16:57.215: [NAT[1]: H323 ACK packet ? FALSE
  *Jul 10 09:17:02.731: NAT[1]: H323: received pak, payload_len=0
  *Jul 10 09:17:02.731: [NAT[1]: H323 ACK packet ? FALSE
  *Jul 10 09:17:14.731: NAT[1]: H323: received pak, payload_len=0
  *Jul 10 09:17:14.731: [NAT[1]: H323 ACK packet ? FALSE
  This problem has been bothering me for weeks. Hope that someone could help me out. Many thanks in advance.
  Regards,
  Angran

  Hi,
  i have the same requirement for a customer, not for video but for audio calls, i have a remote office with h.323 phones and they need to get registered to a gk in central office to send and recieve voice calls, did you make it work? can you share the config please?