PBR on router: VPN + Internet on ADSL; static NAT on serial
Hi,
By reposting, I'm hoping to get some replies.
If it's not possible, please let me know.
http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe4378
Many thanks.
Archie
You've received replies on that thread.
Similar Messages
-
Static NAT - VPN - Internet Access
Does anyone know how to configure the following?
1. An static NAT from an inside ip address to another inside ip address (not physical subnet).
2. The traffic static Natted at the step 1 need to go into a tunnel VPN and at the same time to have internet access.
My router just have two interfaces a WAN and a LAN.
I just created the VPN, the static NAT and the PAT for other users of the subnet to have internet access, but the traffic static Natted just goes over the ipsec tunnel but cannot have internet access.
I tried to apply a route map after the static nat command but since i do not have a physical interface in the same subnet were i am translating the route-map is not applied to the static nat command.
in an extract:
LAN traffic (specific server) --->> static nat to inside not real subnet --->> traffic goes over Tunnel (OK), but no internet access.
BTW. I need to configure the nat before de ipsec tunnel because both lan subnets of the ipsec tunnel endpoint are the same.Why do you need an inside host to be natted to another inside IP address?
You need to configure a "no nat" policy, for the internet traffic. -
DM-VPN with Static NAT for Spoke Router. Require Expert Help
Dear All,
This is my first time to write something .
i have configure DM-VPN, and it's working fine, now i want to configure static nat.
some people will think why need static nat if it's working fine.
let me tell you why i need. what is my plan.
i have HUB with 3 spoke. some time i go out side of my office and not able to access my spoke computer by Terminal Services. because its by dynamic ip address. so what i think i'll give one Static NAT on my HUB Router that if any one or Me Hit the Real/Public IP address of my HUB WAN Interface from any other Remote location so redirect this quiry to my Terminal Service computer which located in spoke network.
will for that i try but fail.
will again the suggestion will come. why not to use .. Easy VPN. well sound great. but then i have to keep my notebook with me.
i'll also do it but now i need that how to do Static NAT. like for normal Router i am doing which is not part of VPN.
ip nat inside source static tcp 192.168.1.10 3389 interface Dialer1 3389
but this time this command is not working, because the ip address which i mention it's related HUB Network not Spoke
spose spoke Network: 192.168.2.0/24
and i want on HUB Router:
ip nat inside source static tcp 192.168.2.10 3389 interface Dialer1 3389
i am using Cisco -- 887 and 877 ADSL Router.
but it's not working, Need experts help. please write your comment's which are very important for me. waiting for your commant's
fore more details please see the diagram.
for Contact Me: [email protected]hi rvarelac thank you for reply :
i allready done that , i put a deny statements in nat access-list excluding the vpn traffic , but the problem still there !
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp key 12344321 address 1.1.1.1
crypto ipsec transform-set Remote-Site esp-aes esp-sha-hmac
mode tunnel
crypto map s2s 100 ipsec-isakmp
set peer 1.1.1.1
set transform-set Remote-Site
match address vpnacl
interface GigabitEthernet0/0
crypto map s2s
Extended IP access list lantointernet
30 deny icmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
40 deny igmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
50 deny ip 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
80 permit ip any any -
Configure RVS4000 Behind 2700-Gateway Qwest DSL Router VPN
I have my QWEST DSL Router 2700-Gateway using a static public IP address
This is setup to be the DHCP and assigned 192.168.0.2-50
I need some help how to connect my RVS4000 and utilize VPN so I can connect to my work network from home. The 2700-Gateway has some features like Transparent Bridging, etc, but not sure how to me this work. Can anyone point me to article even if it's configuring with another DSL Router.
Here is how I tried with my medium knowledge of networking...
I have configured the RVS4000 as:
LAN Static IP
192.168.0.115
Configured as DHCP Relay
the 2700-Gateway router saw the device so:
Configured firewall on 2700-Gateway for PORT FORWARDING:
TCP port 1723 for PPTP tunnel maintenance traffic
UDP port 47 Generic Routing Encapsulation (GRE)
UDP port 500 for Internet Key Exchange (IKE) traffic
UDP port 1701 for L2TP traffic
--> 192.168.0.115
This did not work.gv,
Thanks for your help. I discovered the EasyVPN works quite differently then I expected a IPSec to work. Thanks for the suggestions. I documented my finding and procedure below.
The answer was to use the transparent bridging setting on my DSL modem model 2Wire GATEWAYHG-2700 and and turn off Search PCV, then setup the PPPoE on the RVS4000 VPN router to accept and authenticate my public IP address.
Once I had the modem and router configured, I then had my RVS4000 VPN router ready to test VPN client. The documentation is vague. But after doing some research on here and having some difficulty:
My Finding:
I already had latest Firmware 1.109 from purchase
On the client, I discovered from reading that the EasyVPN uses 443. Well I have this forwarding to a exchange server to utilize RPC/HTTPS with outlook. This turns out that it was fixed with the lastest firmware
The new firmware allows this, as they fixed the vpn listening port override to port 60443..
I port forwarded this to my router gateway 192.168.1.1
In order to use this port, you must have the lastest client from the downloads at RVS4000 version. 1.10 which adds a drop box Auto/443/60433. I found auto and 60443 to work with my configuration.
This configuration let me connect successfully.
If you read the readme that's included with the EasyVPN client download, you have to export the client cert under VPN, and copy the file *.pem to the root folder of the vpn client.exe stated in readme to get rid of the security popup. This worked for me.
So everything seems to be connecting.. But know get "The remote gateway is not responding" popup. I tried the suggested MTU setting with no luck.
After establishing a network share under map drive, this seems to have stop responding as well once this popup occurs.
Things like this should just not be so hard..
So I found this post in regards to my problem and hoping to here if anyone else has found a solution or work around here. Good night, some things are just not worth staying up late for,
http://forums.linksys.com/linksys/board/message?board.id=Wired_Routers&message.id=13651#M13651
Message Edited by MOTOGEEK on 12-10-2007 11:01 PM
Message Edited by MOTOGEEK on 12-10-2007 11:04 PM
Message Edited by MOTOGEEK on 12-10-2007 11:05 PM -
Static NAT (in and out) and PAT on a Router
Static NAT and PAT
I need to have a customer network connected to my extranet.
Im not in control of the customer network addressing. But need to configure a VPN connection.
I will supply the router that will also be the customer Firewall to the Internet (PAT).
(1) I need to be able to do PAT on traffic from internal hosts to the Internet.
(2) I need to hide (NAT) the customer network behind a network supplied by me (match-host), when they are accessing my extranet (through VPN).
(3) I need to be able to access hosts on the customer network, through the hiding (NAT) addresses from my extranet (through VPN).
The following configuration will solve (1) & (2), but I can not (3) reach the internal servers from my extranet, except if the internal host has made connection to the extranet, witch will create a translate entry in the NAT table.
Extranet is: 172.16.16.0/24
Internal net is: 192.168.1.0/24
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface FastEthernet4
ip address 1.1.1.1
ip nat outside
access-list 175 deny 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 175 permit 192.168.1.0 0.0.0.255 any
access-list 176 permit 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255
ip nat pool FRO 10.192.10.1 10.192.10.254 netmask 255.255.255.0 type match-host
ip nat inside source list 175 interface FastEthernet4 overload
ip nat inside source route-map HIDE pool FRO reversible
route-map HIDE permit 10
match ip address 176Create a NAT configuration in the router which also translates even your outside Global address(your extranet) into the inside Global(any private) address through the keyword "rotary".Only this rotary pool will provide the pool of inside global IP address for yopur outside Global IP addresses.
The following white paper will provide you with the required information,
http://www.cisco.com/en/US/products/ps6640/products_white_paper09186a0080091cb9.shtml -
2851 router vpn to 851 router lan clients cannot ping
Greets - I'm expanding my lab experience by adding a 2851 router to my mix of 18xx and 851/871 units. Some of this infrastructure is in production, some just lab work. I have established good connectivity between 18xx's and 851/871's with IPSEC VPNs (site-to-site static and dynamic), but my problem is with adding in a 2851.
Setup: 2851 with 12.4 ADVENTK9, WAN on GE0/0 as 216.189.223.bbb/26, LAN on GE0/1 as 172.20.0.1/20 (VPN module, but no additional HWIC modules)
851 with 12.4 ADVENTK9, WAN on FE4 as 216.53.254.aaa/24, LAN on FE0..3 via BVI1 as 172.21.1.1/24
The two router WAN ports are bridged via a 3rd router (a Zywall with 216.0.0.0/8 route, with the router at 216.1.1.1) affectionately called the "InterNOT", which provides a surrogate to the great web, minus actual other hosts and dns, but it doesn't matter. As both my WAN addresses are within 216.x.x.x, this works quite well. This surrogate has tested fine and is known to not be part of a problem.
The 851 has been tested against another 851 with complementary setup and a successful VPN can run between the two.
I have good LAN-WAN connections on each router. I do have a "Good" VPN connection between the two routers.
The problem: I cannot ping from a LAN host on 172.20.x.x on the 2851 to any 172.21.1.x (eg 172.21.1.1) host on the 851, and vice versa.
From a LAN host, I can ping to my InterNOT - for example a dhcp host 172.20.6.2 on the 2851 LAN can ping 216.1.1.1 fine. I can also ping the 851's WAN address at 216.53.254.aaa.
To complicate matters, if I connect to the routers via console, I CAN ping across the vpn to the destination LAN hosts, in both directions.
This seems to indicate that there is a bridging problem between the LAN interfaces to the VPN interfaces. I suspect this is a config problem on the 2851, as I have had a similar config working on my 851 to 851 site-to-site setups. I also suspect it is in the 2851's config as I'm still just starting out with this particular router.
So some stripped-down configs:
For the 2851:
no service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router2851
boot-start-marker
boot-end-marker
no logging buffered
no logging console
enable password mypassword2
no aaa new-model
dot11 syslog
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.20.0.1 172.20.6.1
ip dhcp excluded-address 172.20.6.254 172.20.15.254
ip dhcp pool Internal_2000
import all
network 172.20.0.0 255.255.240.0
domain-name myseconddomain.int
default-router 172.20.0.1
lease 7
no ip domain lookup
multilink bundle-name authenticated
voice-card 0
no dspfarm
crypto pki <<truncated>>
crypto pki certificate chain TP-self-signed-2995823027
<<truncated>>
quit
username myusername privilege 15 password 0 mypassword2
archive
log config
hidekeys
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mysharedkey address 216.53.254.aaa
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to216.53.254.aaa
set peer 216.53.254.aaa
set transform-set ESP-3DES-SHA
match address 100
interface GigabitEthernet0/0
description $ETH-WAN$
ip address 216.189.223.bbb 255.255.255.192
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
no shut
interface GigabitEthernet0/1
description $FW_INSIDE$$ETH-LAN$
ip address 172.20.0.1 255.255.240.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no mop enabled
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.20.0.0 0.0.15.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
access-list 101 permit ip 172.20.0.0 0.0.15.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
banner motd ~This is a private computer system for authorized use only. And Stuff~
line con 0
line aux 0
line vty 0 4
privilege level 15
password mypassword
login local
transport input telnet ssh
scheduler allocate 20000 1000
end
And for the 851:
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router851
boot-start-marker
boot-end-marker
logging buffered 52000 debugging
no logging console
enable password mypassword
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
resource policy
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip dhcp use vrf connected
ip dhcp excluded-address 172.21.1.1 172.21.1.100
ip dhcp pool Internal_2101
import all
network 172.21.1.0 255.255.255.0
default-router 172.21.1.1
domain-name mydomain.int
dns-server 172.21.1.10
lease 4
ip cef
ip domain name mydomain.int
ip name-server 172.21.1.10
crypto pki <<truncated>>
crypto pki certificate chain TP-self-signed-3077836316
<<truncated>>
quit
username myusername privilege 15 password 0 mypassword2
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mysharedkey address 216.189.223.aaa
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to216.189.223.bbb
set peer 216.189.223.bbb
set transform-set ESP-3DES-SHA2
match address 100
bridge irb
interface FastEthernet0
spanning-tree portfast
interface FastEthernet1
spanning-tree portfast
interface FastEthernet2
spanning-tree portfast
interface FastEthernet3
spanning-tree portfast
interface FastEthernet4
description $ETH-WAN$
ip address 216.53.254.aaa 255.255.254.0
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
no shut
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
description Bridge to Internal Network
ip address 172.21.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 172.21.1.0 255.255.255.0 BVI1
ip http server
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.21.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.21.1.0 0.0.0.255 172.21.101.0 0.0.0.31
access-list 101 permit ip 172.21.1.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
bridge 1 route ip
banner motd ~This is a private computer system for authorized use only. And Stuff.~
line con 0
password mypassword
no modem enable
line aux 0
line vty 0 4
password mypassword
scheduler max-task-time 5000
end
Note that the above are somewhat stripped-down configs, without firewall or WAN ACL's - interestingly my default WAN-Inbound ACLs seem to break connectivity when included, so I realize I have some more cleanup to do there, but the 2851 LAN bridging seems to be what I should concentrate on first.
I'm still googling some of the particulars with the 2851, but any assistance is appreciated.
Regards,
Ted.Hi,
First,please delete NAT.If we configured the NAT in the RRAS,the source IP address in all packets sent to 192.168.1.0/24 would be translated to 192.168.1.224.
Second,please enable the LAN routing in RRAS server.To enable LAN routing,please follow the steps below,
1.In the RRAS server,Open Routing and Remote Access.
2.Right-click the server name,then click
properties.
3.On the General tab,select
IPv4 Router check box,and then click Local area network(LAN) routing only.
Then,announce the 172.16.0.0 network to the router.
To learn more details about enabling LAN routing, please refer to the link below,
http://technet.microsoft.com/en-us/library/dd458974.aspx
Best Regards,
Tina -
Static-nat and vpn tunnel bound traffic from same private address?
Hi guys,
I have site-to-site tunnel local host @192.168.0.250 and remote-host @172.16.3.3.
For this local host @192.168.0.250, I also have a static one-to-one private to public.
static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
As you can see, IPSec SA shows end-points in question and traffic is being decrypted but not encrypted host traffic never enter into the tunnel, why?
How can I resolve this problem, without complicating the setup ?
BurlingtonASA1# packet-tracer input mgmt-192 icmp 192.168.0.250 8 0 172.16.3.3
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside-50
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 mgmt-192
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group mgmt_intf in interface mgmt-192
access-list mgmt_intf extended permit icmp any any
access-list mgmt_intf remark *** Permit Event02 access to DMZ Intf ***
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip mgmt-192 host 192.168.0.250 outside-50 host 172.16.3.3
NAT exempt
translate_hits = 5, untranslate_hits = 0
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
nat-control
match ip mgmt-192 host 192.168.0.250 outside-50 any
static translation to 216.9.50.250
translate_hits = 25508, untranslate_hits = 7689
Additional Information:
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (mgmt-192,dmz2-172) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
nat-control
match ip mgmt-192 192.168.0.0 255.255.255.0 dmz2-172 any
static translation to 192.168.0.0
translate_hits = 28867754, untranslate_hits = 29774713
Additional Information:
Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1623623685, packet dispatched to next module
Result:
input-interface: mgmt-192
input-status: up
input-line-status: up
output-interface: outside-50
output-status: up
output-line-status: up
Action: allow
BurlingtonASA1#
Crypto map tag: map1, seq num: 4, local addr: 216.9.50.4
access-list newvpn extended permit ip host 192.168.0.250 host 172.16.3.3
local ident (addr/mask/prot/port): (192.168.0.250/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.3.3/255.255.255.255/0/0)
current_peer: 216.9.62.4
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.9.50.4, remote crypto endpt.: 216.9.62.4
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 37CA63F1
current inbound spi : 461C843C
inbound esp sas:
spi: 0x461C843C (1176273980)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 77398016, crypto-map: map1
sa timing: remaining key lifetime (kB/sec): (3914997/25972)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x003FFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x37CA63F1 (936010737)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 77398016, crypto-map: map1
sa timing: remaining key lifetime (kB/sec): (3915000/25972)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Hi
intersting VPN ACL
object-group network DM_INLINE_NETWORK_18
network-object YYY.YYY.YYY.0 255.255.255.0
object-group network DM_INLINE_NETWORK_22
network-object UUU.UUU.UUU.0 255.255.255.0
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
Static NAT
static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
No NAT
object-group network DM_INLINE_NETWORK_20
network-object UUU.UUU.UUU.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
VPN CLient Pool
No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
I hope this helps
Thanks -
Static Policy NAT in VPN conflicts with Static NAT
I have a situation where I need to create a site-to-site VPN between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises in that the LAN behind the Cisco ASA has the same subnet as a currently existing VPN created on the Sonicwall. Since the Sonicwall can't have two VPNs both going to the same subnet, the solution is to use policy NAT on the ASA so that to the Sonicwall, the new VPN appears to have a different subnet.
The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a VPN created to a different client with that same subnet). I am trying to translate that to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The pertinent configuration of the ASA is:
interface Vlan1
ip address 192.168.10.1 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.24.0 255.255.255.0 10.159.0.0 255.255.255.0
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
static (inside,outside) 192.168.24.0 access-list VPN
crypto map outside_map 1 match address outside_1_cryptomap
In addition to this, there are other static NAT statements and their associated ACLs that allow certain traffic through the firewall to the server, e.g.:
static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
The problem is this: When I enter the static policy NAT statement, I get the message "Warning: real-address conflict with existing static" and then it refers to each of the static NAT statements that translate the outside address to the server. I thought about this, and it seemed to me that the problem was that the policy NAT statement needed to be the first NAT statement (it is last) so that it would be handled first and all traffic destined for the VPN tunnel to the Sonicwall (destination 10.159.0.0/24) would be correctly handled. If I left it as the last statement, then the other static NAT statements would prevent some traffic destined for the 10.159.0.0/24 network from being correctly routed through the VPN.
So I tried first to move my policy NAT statement up in the ASDM GUI. However, moving that statement was not permitted. Then I tried deleting the five static NAT statements that point to the server (one example is above) and then recreating them, hoping that would then move the policy NAT statement to the top. This also failed.
What am I missing?Hi,
To be honest it should work in the way I mentioned. I am not sure why it would change the order of the NAT configurations. I have run into this situation on some ASA firewalls running the older software (older than 8.2) and the reordering of the configurations has always worked.
So I am not sure are we looking at some bug or what the problem is.
I was wondering if one solution would be to configure all of the Static NAT / Static PAT as Static Policy NAT/PAT
I have gotten a bit rusty on the older (8.2 and older) NAT configuration format as over 90% of our customer firewalls are running 8.3+ software.
I was thinking of this kind of "static" configuration for the existing Static PAT configurations if you want to try
access-list STATICPAT-SMTP permit tcp host eq smtp any
static (inside,outside) tcp interface smtp access-list STATICPAT-SMTP
access-list STATICPAT-HTTPS permit tcp host eq https any
static (inside,outside) tcp interface https access-list STATICPAT-HTTPS
access-list STATICPAT-RDP permit tcp host eq 3389 any
static (inside,outside) tcp interface 3389 access-list STATICPAT-RDP
access-list STATICPAT-TCP4125 permit tcp host eq 4125 any
static (inside,outside) tcp interface 4125 access-list STATICPAT-TCP4125
access-list STATICPAT-POP3 permit tcp host eq pop3 any
static (inside,outside) tcp interface pop3 access-list STATICPAT-POP3
Naturally you would add the Static Policy NAT for the VPN first.
Again I have to say that I am not 100% sure if this was is the correct format maybe you can test it with a single service that has a Static PAT. For example the Static PAT for RDP (TCP/3389). First entering the Static Policy NAT then removing the Static PAT and then entering the Static Policy PAT.
Remember that you should be able to test the translations with the "packet-tracer" command
For example
packet-tracer input outside tcp 1.1.1.1 12345
- Jouni -
This maybe stupid but may somebody help on this.
Site A --- Internet --- Site B
An IPSec VPN is implemented between Site A and Site B. Some "nat 0" commands are used on Site A PIX to avoid addresses being translated when communicating with site B.
But now there is a problem, there are several public servers which have static NAT entries by "static" command. And it looks like these entry will still be valid even if the "nat 0" is presenting. And thus those inside IPs which have a static NAT, will be translated once it reaches the PIX and can not go via the VPN tunnel.
May someone advise me how to overcome this? Thanks.Your question really pertains to the nat order of operations. Nat 0 (nat exemption) is first in the order. It preceeds all other including static nat. The servers you mention will absolutely be included in the nat 0 unless they are specifically denied in the nat 0 acl.
-
Hi there,
Should we worry about the the security on router-to-router VPN over internet (IPSec) ?
We have two offices.
Office A has Cisco 2811 router (internal, private) and ASA 5510 firewall.
Office B has Cisco 2821 router (internal, private) and ASA 5505 firewall.
Office B has private subnets that extend to 7 hops away. (running RIP)
If we want to set up a site-to-stie VPN between these two offices, should we set it up on ASA's or routers?
If we set up VPN on routers, does that mean we need to connect one interface to the internet on each router and suffer from Internet attacks?
How do we defend our routers then?
Thanks in advance!
-AndrewHi,
when it comes to site to site vpn I usually prefer routers. Whith a little bit of tweaking NAT and routing you should be able to operate a public address on the routers even if they are behind the firewall.
The advantage of IOS based VPN is e.g. the possibility of routing protocols through the VPN tunnels which would give another level of resiliency. Configure tunnel interfaces on the routers with a tunnel mode IPsec and a tunnel protection profile. You can then run e.g. EIGRP to find a possible alternate path if one of the tunnels fails. Its much easier than anything I can think of on the ASA.
Rgds, MiKa -
Upgrading Internet from ADSL to VDSL
I currently connect all my Apple equipment to an Airport Extreme to provide my home network. The Airport connects buy cable to my ISP provided router forr internet access ( with wireless access disabled) . If I upgrade my ADSL line to VDSL will I still be able to use the same system and will I still get the speed increases VDSL should provide? I currently receive around 3500 mbps broadband so I'm hoping to see a good speed increase with VDSL:.
Welcome,
I've done just this about 9 months ago. I had to replace my router as the old one only supported ADSL2+.
I certainly get a vastly upgraded speed - I can now get 37Mbps up.17Mbps down on my iPhone via Airport and 70Mbps via iMac wired.
I have turned OFF the WiFi provided by my Netgear WRN2000 router and just use Airports for my WiFi.
I assume you mean 3500 bps by the way!
Regards,
Shawn -
VPN Server under Static NAT. Any advices?
Hi there,
Is it possible to setup a VPN server in DMZ under a static NAT translation? I have 2911 as an edge router, another 2951 as a firewall with four zones - inside1, inside2, outside, dmz. All IP addressing between edge and firewall is private. The web and mail servers are working in DMZ under static NAT. The question is - can I also setup VPN server in DMZ under the static NAT? The clients establishing VPN tunnels will work with DMZ servers (other servers) only. Thanks!We featured your question on the Cisco Support Community Facebook page. Check out some of the responses here: http://www.facebook.com/CiscoSupportCommunity/posts/269198139851698
Posted by WebUser Cisco NetPro from Cisco Support Community App -
DMVPN Hub router with static NAT
Hi everyone,
I'm trying to setup a lab enviroment to stablish a DMVPN. I have two routers CISCO 2811, IOS version 12.4(3j). I need to configure those routers to stablish a DMVPN. For the spoke router, I have have an ISP that provides dynamic addressing. For the hub router, I have a public static IP address assignde by the ISP. But I have a Watchguard firewall in the middle doing static 1-to-1 NAT for that address. Now the questions are:
1) Can I stablish the DMVPN between the routers with that firewall in the middle?
2) In case it is possible, what will the physical hub address be? And is there something I need to change on the firewall configuration?
3) In case it isn't possible, what other options do I have to stablish a VPN tunnel between the routers in those conditions?
Is there is anything else you need to know to understand the situation, please ask. I haven't configure neither of the routers yet, because I think I need to be sure of these concepts first. Thanks for any help you could bring.
Gustavo!
-
My WRT54G v5 router loses internet connection frequently
My WRT54G v5 router loses internet connection frequently. Sometimes occurs when you enter a web or sometimes every few minutes, but without a pattern. I have W XP Pro with SP3 and I have a pc wired to the router and sometimes 2 notebook with Wi-Fi. What could be the problem?. Thank you very much.
I have upgraded the firmware to v 1.02.8 and reduced the MTU to 1350 but after a few minutes of doing that I had the same problem... The router reboots itself, again and again and again...
It's possible to run some diagnostic utility that somebody can check ??
It's possible it would be a router failure ??
I note that sometimes is ok and when Entering some web pages the router reboots itself and I loose my internet connection, but others, the router reboots for no apparent reason...
I dont know what to do... -
H323 static Nat doesn't work fine on 3900 series router with IOS 15.2(3) T
Hi,
I have a problem with static nat setting on my 3925 router with IOS15.2(3). The scenario is like this:
I set a static nat between 172.16.1.2 and x.x.x.x(public IP address) using following command:
ip nat inside source static 172.16.1.2 x.x.x.x
The intranet IP address is set on a video conference system from Huawei, after setting all these things, ping works fine to this public IP address, but video conference cannot be built. I tried same setting using another 2811 router with IOS12.4 and it worked fine. Which means the problem should be isolated to this 3925 router. Full config is also attached, sorry that I elimated the public IP address and use other characters instead.
Additionally, I debugged ip natting and I see following information when making video calls:
router#debug ip nat h323
IP NAT H323 debugging is on
router#
*Jul 10 09:11:07.343: NAT[0]: H323: received pak, payload_len=0
*Jul 10 09:11:07.343: [NAT[0]: H323 ACK packet ? FALSE
*Jul 10 09:16:15.731: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:16:15.731: [NAT[1]: H323 ACK packet ? FALSE
*Jul 10 09:16:57.215: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:16:57.215: [NAT[1]: H323 ACK packet ? FALSE
*Jul 10 09:17:02.731: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:17:02.731: [NAT[1]: H323 ACK packet ? FALSE
*Jul 10 09:17:14.731: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:17:14.731: [NAT[1]: H323 ACK packet ? FALSE
This problem has been bothering me for weeks. Hope that someone could help me out. Many thanks in advance.
Regards,
AngranHi,
i have the same requirement for a customer, not for video but for audio calls, i have a remote office with h.323 phones and they need to get registered to a gk in central office to send and recieve voice calls, did you make it work? can you share the config please?
Maybe you are looking for
-
Data Asset Manager, Drive or Terminal ideas
I have about ten to twenty HDs with various scraps that I've collected over the years. I'd like to organize them, find duplicates (or dump the files for good!). Anyone know of a good Data Asset manager? Any one use CDFinder? Is there a way to use Ter
-
While processing MB51 Transation system is giving run time Error.
Dear MM Team, While processing T code MB51 system getting data, if i clicking detail list in MB51 system has given below dump message. A RAISE statement in the program "CL_GUI_ALV_GRID===============CP" raised the exception condition "NO_VALID_DOCUM
-
Question about redirecting user when session expires
I have several pages that get and post variables sent to them. Is it possible to retain these values when the user's session expires? I want to be able to have the user re-log into the system and then have them redirected back to the page they were j
-
Call bpws:getVariableData from xslt
Hello, I need to access a global xml BPEL variable from my xslt script called by a ora:processXSLT function, from an assign block. In order to have this, I tried to call âbpws:getVariableDataâ inside the xslt, but I receive the following error at
-
Is there a way to cif customer consignment SD-orders?
Hi colleagues, Do any deal with customer consignment SD-orders to cif them in APO? I will much appreciate any tips about. Detailed chain below: 1. Customer creates SD-order (SD1) from consignment stock 2. Another SD-order (SD2) for replenishment cons