RV042 Site-to-Stie VPN with NAT on one side

I set up a site-to-site VPN using two RV042s some time ago. One was behind a NATting router. The other was the internet interface itself.
Somewhere I had found a paper describing how to do this. It said that only ONE of them could be behind another NATting router. So, that's how this was set up. I sure wish I could find that paper again!!! Any suggestions?
Now I have to do the same thing again but can't get it working. It looks like this:
RV042 VPN public address <> cable modem <> internet <> RV042 "firewall" with IPSEC passthrough enabled <> interim subnet LAN <> RV042 VPN <> LAN
I'm getting log messages and on the remote site log (the left side of the above) like:
initial Aggressive Mode packet claiming to be from [xxx.xxx.xxx.xxx] on [same] but no connection has been authorized
and
No suitable connection for peer '10.98.76.2', Please check Phase 1 ID value
(where 10.98.76.2 is the IP address of the RV042 WAN port on the interim subnet)
I have them both in Aggressive mode as eventually I'll be using a dyndns url. But, for now, I'm using the actual IP addresses so that should not be an issue one way or the other..

make sure the configuration u do on both the side should be same....and secondly exempt the NAT rules then only it will work.

Similar Messages

Site-to-ste VPN with overlapped subnet.

Hi Friends
I have to set up site to site VPN with overlapped network ASA 5540 and checkpoint what is the best parctice to achive tis goal
Thanks in advance

It has to be configured on both sides.
X and Y are unused networks in this example: Site A has to hide 172.16.1.0/24 behind X when communicating to Y, site B has to hide 172.16.1.0/24 behind Y when communicating to X. The users in site A have to use Y as a destination, users in site B have to use X as destination. To make it usable for the users you should include the destinations in the DNS so that they never need the destination-IP.
On the ASA you describe the communication 172.16.1.0/24 -> Y with an access-list and add that ACL to your static-command. You find an example here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Site to Site VPN with Natting Internal IP address range?

This is our actual Internal LAN address: 10.40.120.0/26 (Internal Range) and I want to translate to
Translated address: 10.254.9.64.255.255.255.192(Internal)
Our remote local address is: 10.254.5.64 255.255.255.192(Remote site Internal Ip add range)
Based on above parameters I done this configuration
access-list outside_cryptomap permit ip 10.254.9.64 255.255.255.192 10.254.5.64 255.255.255.192
access-list policy-nat permit ip 10.40.120.0 255.255.255.192 10.254.5.64 255.255.255.192
static (inside,outside) 10.254.9.64 access-list policy-nat
I got all the Phase1 and Phase 2 parameters required and peer public ip add,
I had set up vpn using ASDM before but this scenario is new for me, all I am wondering is there anything I need to configure to succesfully setup VPN

Hi mate,
yeah issue on far site they arent allowing access to the port we are trying to access, and they made it up and we are good to g now,
One thing I am worried is only one IP add is able to access the resources, I mean i created an add range of 192.168.x.0/26, however only 192.168.x.3 one of our server is able to access the far site, havent got a clue
config is as folllows:
access-list pp-vpn extended permit ip 10.254.7.64 255.255.255.192 10.254.6.64 255.255.255.192
access-list policy-nat---- extended permit ip 192.168.x.0 255.255.255.192 10.254.6.64 255.255.255.192
static (inside,outside) 10.254.7.64 access-list policy-nat
crypto ipsec transform-set esp-aes256-sha esp-md5-hmac
crypto map outside_map 20 match address pp-vpn
crypto map outside_map 20 set peer 172.162.1.2
crypto map outside_map 20 set transform-set vpn1
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp policy 65 encyptio
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
tunnel type ipsec-l2l
tunnel-group 172.162.1.2 ipsec-attributes
pre-shared-key *
Thank you immensly for all your assitance
ven

VPN with more than one filter / nested ACL

Dear All,
Is there a way to assign more than one ACL to a VPN profile or implement a nested ACL structure?
I am trying to avoid modifing a large list of ACLs to insert the same ACE in each ACL bound to different VPN profiles.

Hi,
I know only the few basics ways to control the VPN users traffic they basically are
Changing the global "sysopt" setting and controlling all user traffic on the external interface ACL
Use separate VPN Filter ACLs
If using subinterfaces for local interfaces then tie the VPN connection to a specific Vlan which would allow connectivity only towards that Vlan subinterface for those VPN users.
In some cases we might use a separate device to do the access control.
But I guess if the requirement is to have a specific ACL for each VPN user group then the original suggestion is not an option for you.
I was just thinking that using the same ACL would make it easier to generate the new configuration addiotion. Atleast in the sense that the ACL name for each rule would be the same. If you didnt make too broad ACL rules it would not really allow any connectivity between the different networks involved though that would also depend on the NAT configurations, not just the ACL.
- Jouni

Cisco ASA Site to Site IPSEC VPN and NAT question

Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.

Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni

Azure Site to Site VPN with Cisco ASA 5505

I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
(Does azure support 9.x version of asa?)
How can i fix it?

Hi,
As of now, we do not have any scripts for Cisco ASA 9x series.
Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
demonstrated in this blog:
Step-By-Step: Create a Site-to-Site VPN between your network and Azure
http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
You can refer to this article for Cisco ASA templates for Static routing:
http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
Did you download the VPN configuration file from the dashboard and copy the content of the configuration
file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
According to the
Cisco ASA template, it should be similar to this:
access-list <RP_AccessList>
extended permit ip object-group
<RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
nat (inside,outside) source static <RP_OnPremiseNetwork>
<RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
<RP_AzureNetwork>
Based on my experience, to establish
IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
compatible for dynamic routing, please make sure that you chose the static routing.
Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
Hope this helps you.
Girish Prajwal

Need help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 8.2(1)

Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
The following is the Layout:
There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
I have been able to configure Client to Site IPSec VPN
1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
But I have not been able to make tradiotional Hairpinng model work in this scenario.
I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
running-conf --- Working normal Client to Site VPN without internet access/split tunnel
ASA Version 8.2(1)
hostname ciscoasa
domain-name cisco.campus.com
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
interface GigabitEthernet0/0
nameif internet1-outside
security-level 0
ip address 1.1.1.1 255.255.255.240
interface GigabitEthernet0/1
nameif internet2-outside
security-level 0
ip address 2.2.2.2 255.255.255.224
interface GigabitEthernet0/2
nameif dmz-interface
security-level 0
ip address 10.0.1.1 255.255.255.0
interface GigabitEthernet0/3
nameif campus-lan
security-level 0
ip address 172.16.0.1 255.255.0.0
interface Management0/0
nameif CSC-MGMT
security-level 100
ip address 10.0.0.4 255.255.255.0
boot system disk0:/asa821-k8.bin
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.campus.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network cmps-lan
object-group network csc-ip
object-group network www-inside
object-group network www-outside
object-group service tcp-80
object-group service udp-53
object-group service https
object-group service pop3
object-group service smtp
object-group service tcp80
object-group service http-s
object-group service pop3-110
object-group service smtp25
object-group service udp53
object-group service ssh
object-group service tcp-port
object-group service udp-port
object-group service ftp
object-group service ftp-data
object-group network csc1-ip
object-group service all-tcp-udp
access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
access-list CSC-OUT extended permit ip host 10.0.0.5 any
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
access-list CAMPUS-LAN extended permit ip any any
access-list csc-acl remark scan web and mail traffic
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl remark scan web and mail traffic
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
access-list INTERNET2-IN extended permit ip any host 1.1.1.2
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list DNS-inspect extended permit tcp any any eq domain
access-list DNS-inspect extended permit udp any any eq domain
access-list capin extended permit ip host 172.16.1.234 any
access-list capin extended permit ip host 172.16.1.52 any
access-list capin extended permit ip any host 172.16.1.52
access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
access-list capout extended permit ip host 2.2.2.2 any
access-list capout extended permit ip any host 2.2.2.2
access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu internet1-outside 1500
mtu internet2-outside 1500
mtu dmz-interface 1500
mtu campus-lan 1500
mtu CSC-MGMT 1500
ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
ip verify reverse-path interface internet2-outside
ip verify reverse-path interface dmz-interface
ip verify reverse-path interface campus-lan
ip verify reverse-path interface CSC-MGMT
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (internet1-outside) 1 interface
global (internet2-outside) 1 interface
nat (campus-lan) 0 access-list campus-lan_nat0_outbound
nat (campus-lan) 1 0.0.0.0 0.0.0.0
nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
access-group INTERNET2-IN in interface internet1-outside
access-group INTERNET1-IN in interface internet2-outside
access-group CAMPUS-LAN in interface campus-lan
access-group CSC-OUT in interface CSC-MGMT
route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.2 255.255.255.255 CSC-MGMT
http 10.0.0.8 255.255.255.255 CSC-MGMT
http 1.2.2.2 255.255.255.255 internet2-outside
http 1.2.2.2 255.255.255.255 internet1-outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet2-outside_map interface internet2-outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as
quit
crypto isakmp enable internet2-outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 10.0.0.2 255.255.255.255 CSC-MGMT
telnet 10.0.0.8 255.255.255.255 CSC-MGMT
telnet timeout 5
ssh 1.2.3.3 255.255.255.240 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet2-outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_TG_1 internal
group-policy VPN_TG_1 attributes
vpn-tunnel-protocol IPSec
username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
username administrator password xxxxxxxxxxxxxx encrypted privilege 15
username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
username vpnuser1 attributes
vpn-group-policy VPN_TG_1
tunnel-group VPN_TG_1 type remote-access
tunnel-group VPN_TG_1 general-attributes
address-pool vpnpool1
default-group-policy VPN_TG_1
tunnel-group VPN_TG_1 ipsec-attributes
pre-shared-key *
class-map cmap-DNS
match access-list DNS-inspect
class-map csc-class
match access-list csc-acl
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class csc-class
csc fail-open
class cmap-DNS
inspect dns preset_dns_map
service-policy global_policy global
prompt hostname context
Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
: end
Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
Thanks & Regards
maxs

Hi Jouni,
Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
But my problem is not solved fully here.
Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
Here the packet tracer output for the traffic:
packet-tracer output
asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.255.0.0     campus-lan
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.150.1   255.255.255.255 internet2-outside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internnet1-in in interface internet2-outside
access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (internet2-outside) 1 192.168.150.0 255.255.255.0
match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 14, untranslate_hits = 0
Additional Information:
Result:
input-interface: internet2-outside
input-status: up
input-line-status: up
output-interface: internet2-outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
dynamic nat
asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
Is it possible to access both
1)LAN behind ASA
2)INTERNET via HAIRPINNING
simultaneously via a single tunnel-group?
If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
Thanks & Regards
Abhijit

DM-VPN with Static NAT for Spoke Router. Require Expert Help

Dear All,
            This is my first time to write something .
                         i have configure DM-VPN, and it's working fine, now i want to configure static nat.
some people will think why need static nat if it's working fine.
let me tell you why i need. what is my plan.
i have HUB with 3 spoke. some time i go out side of my office and not able to access my spoke computer by Terminal Services. because its by dynamic ip address. so what i think i'll give one Static NAT on my HUB Router that if any one or Me Hit the Real/Public IP address of my HUB WAN Interface from any other Remote location so redirect this quiry to my Terminal Service computer which located in spoke network.
will for that i try but fail.
will again the suggestion will come. why not to use .. Easy VPN. well sound great. but then i have to keep my notebook with me.
i'll also do it but now i need that how to do Static NAT. like for normal Router i am doing which is not part of VPN.
ip nat inside source static tcp 192.168.1.10 3389 interface Dialer1 3389
but this time this command is not working, because the ip address which i mention it's related HUB Network not Spoke
spose spoke Network: 192.168.2.0/24
and i want on HUB Router:
ip nat inside source static tcp 192.168.2.10 3389 interface Dialer1 3389
i am using Cisco -- 887 and 877 ADSL Router.
but it's not working,   Need experts help. please write your comment's which are very important for me. waiting for your commant's
fore more details please see the diagram.
for Contact Me: [email protected]

hi rvarelac thank you for reply :
i allready done that , i put a deny statements in nat access-list excluding the vpn traffic , but the problem still there !
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp key 12344321 address 1.1.1.1
crypto ipsec transform-set Remote-Site esp-aes esp-sha-hmac
mode tunnel
crypto map s2s 100 ipsec-isakmp
set peer 1.1.1.1
set transform-set Remote-Site
match address vpnacl
interface GigabitEthernet0/0
crypto map s2s
Extended IP access list lantointernet
30 deny icmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
40 deny igmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
50 deny ip 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
80 permit ip any any

Site-to-site VPN with remote access

Hello friends,
Company has a few remote offices and goal is connect all in yhe VPN.
I have one IPSec VPN tunnel between remote1 and central office.
Tunnel status is active and everything is ok.
Other remote offices access to central server over remote desktop public IP address.
When I add this NAT command to central router configuration:
ip nat inside source static 192.168.0.10 public_ip_address
there is no ping in VPN tunnel!!!
There is problem that at the same moment work station from VPN tunnel and work station of remote office (without VPN tunnel) cant access to central server.
I have no idea...
Here is the sh run config from central router>
hostname ROUTER
boot-start-marker
boot-end-marker
logging message-counter syslog
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXX
no aaa new-model
dot11 syslog
ip source-route
ip cef
ip domain name XXXXXXXXXXXXXXXX.net
multilink bundle-name authenticated
username XXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXX
archive
log config
hidekeys
crypto isakmp policy 1
encr cccc
cccccccc
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX address AA.AA.AA.AA
crypto ipsec transform-set TS XXXXXX XXXXXXXXX
crypto map CMAP 10 ipsec-isakmp
set peer AA.AA.AA.AA
set transform-set TS
match address VPN-TRAFFIC
interface FastEthernet0/1
description INTERNET
ip address BB.BB.BB.BB 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CMAP
interface FastEthernet0/0/0
interface FastEthernet0/0/1
interface FastEthernet0/0/2
interface FastEthernet0/0/3
interface Vlan1
description LAN_MREZA
ip address 192.168.0.5 255.255.255.0
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 BB.BB.BB.BB
no ip http server
no ip http secure-server
ip nat pool NAT_POOL CC.CC.CC.CC netmask 255.255.255.252
ip nat inside source list 100 pool NAT_POOL overload
ip nat inside source static 192.168.0.10 FF.Ff.FF.FF
ip access-list extended VPN-TRAFFIC
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
control-plane
line con 0
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
login
line aux 0
line vty 0 4
login local
transport input ssh
scheduler allocate 20000 1000
end

Hi,
Do you mean that you have
A VPN Pool of 192.168.111.0/24
You want it to be able to connect to networks behind a new L2L VPN
If so, then I see no problem with it.
You will naturally require NAT configurations and define the interesting traffic
You will also need to make sure you have "same-security-traffic permit intra-interface" on the firewall with the VPN Client and L2L VPN configuration. This would enable the traffic to enter and leave the same interface which in this case is probably "outside" or something similiar
- Jouni

Solaris 10 site to site VPN with netscreen or linux freeswan

Hello,
Have anybody made Solaris site to site ipsec VPN with netscreen firewall or linux freeswan?

a.alekseev,
It works! Thank you very much. I somehow have overlooked that command entirely. I am very grateful.

Single Corporate SSID + Single Guest SSID across 200 sites over VPN with Flex Connect

We have two main sites (East Building as DR + West Building as BDR) + 100 remote sites / all connection between the sites based on VPN / OSPF
East building has 1 WLC 5508 with a license of 500 AP
West building has 1 WLC 5508 with a license of 500 AP
50 remote sites in East
Each East remote site have 5 AP (AIR-LAP1142N + AIR-CAP2602I)
Total AP in all the 50 remote site in East is 250 AP
50 remote site in West
Each West remote site have 5 AP (AIR-LAP1142N + AIR-CAP2602I)
Total AP in all the 50 remote site in West is 250 AP
Hardware available are:
2 * WLC 5508
2 * ACS 5.2
Most of the switches that connect to the AP are 2960G
All the AP are
AIR-LAP1142N-E-K9
AIR-CAP2602I-E-K9
Requirements in Brief:-
1 SSID for Internal user across all the sites
1 SSID for Guest user across all the sites
All IP for all the sites based on their local subnet
All the remote sites need to be Flex connect
The 2 WLC need to configure as failover
Requirements in Details:-
One Corporate ABC-SSID for all the sites
One Guest ABC-SSID for all the sites
The WLC in East building is the primary which control all the East remote site (250 AP)
The WLC in West building is the secondary which control all the West remote site (250 AP)
A fail over between the two WLC as below:
If the WLC in east fail then all the AP in east (250 AP) will connect to WLC in West
If the WLC in West fail then all the AP in west (250 AP) will connect to WLC in East
Each Remote site behaving as Flex connect to reduce the overhead over the WAN/VPN
Each site must have their own AP groups for the ease of management
All the AP MGMT IP based on their local subnet
Each remote site, West building, and East building must obtain their IP based on their local VLAN Example:- site-1 in East:
Corporate ABC-SSID take 10.204.0.0/24
Guest ABC-SSID take 192.168.0.0/24
Example:- site-2 in East:
Corporate ABC-SSID take 10.204.1.0/24
Guest ABC-SSID take 192.168.1.0/24
Example:- site-3 in East:
Corporate ABC-SSID take 10.204.2/24
Guest ABC-SSID take 192.168.2.0/24
And so on…….
Example:- site-1 in West:
Corporate ABC-SSID take 10.204.100.0/24
Guest ABC-SSID take 192.168.100.0/24
Example:- site-2 in West:
Corporate ABC-SSID take 10.204.101.0/24
Guest ABC-SSID take 192.168.101.0/24
Example:- site-3 in West:
Corporate ABC-SSID take 10.204.102.0/24
Guest ABC-SSID take 192.168.102.0/24
And so on…….
Reference that I found
https://supportforums.cisco.com/thread/2039215
Expert I'm really stuck here, so please any help will do.
Thanks in advance

What are you stuck on? What you have mentioned is possible.
When you setup FlexConnect and also when AP's night failover, you need to make sure that the WLAN ID are in the same order in bother WLC's. also the AP Groups have the same information and have the same AP Group names and WLAN to vlan mapping. So as long as the WLC's are configured exactly the same except for IP addresses and hostname a, failover for FlexConnect will work fine.
Now the FlexConnect WLAN to vlan mapping is done on the access point itself. So each AP will have to configured. AP Groups will not help here as you can really just create one since you will have the same WLAN's broadcasting at each site. You can make is simple though:) and this is a good tip.....
If all your vlans are the same in every site including your DR and BDR, then the WLAN to vlan mapping will use the vlan if you have specified in the the WLAN under the I terrace mapping. So if in your corporate WLAN it is mapped to I terrace vlan 100, all you FlexConnect AP's will have that mapping set to vlan 100. If your guest at WLAN is mapped to vlan 999 interface on the WLC then the FlexConnect WLAN to vlan mapping for the guest will be set to vlan 999.
Now if you have different vlan id's for each site or it might be the same for some and not the others, well you will have to tough each AP and configure the WLAN to vlan mapping.
The WLAN to vlan mapping appears only when you have enabled FlexConnect local swit hung in the WLAN and you have the access point in FlexConnect mode.
Sent from Cisco Technical Support iPhone App

Site to site VPN with windows server 2012

I am trying to connect our server to cisco site-to-site IPSec VPN with one of our partners servers, they asked us to implement the settings they gave us into our router, but actually we don't have access to the router, we are just connected directly with
our ISP. alternatively, we were informed that we can use software VPN instead, and yes we found a working one, tested and verified, but we have to pay for it to keep running.
Now my question is, having that we are running windows server 2012 R2, how can we establish this VPN connection directly from windows without the need to use third parties tools?
The only parameter that we have to connect are:
Gateway IP: xxx.xxx.xxx.xxx
Authentication Pre-shared Key: ######
Encryption: 3DES
Hash authentication: MD5
DH: Group1
No username or password is needed with this type of VPN.
Any help is appreciated.
Best regards, Abed

Hi,
You may try to configure the Windows Server 2012 (RRAS) as VPN router to connect to the 3rd party VPN server(compatible with Windows Server VPN).
Some samples just for your reference:
Checklist: Implementing a Site-to-Site Connection Design
https://technet.microsoft.com/en-us/library/ff687867(v=ws.10).aspx
TMG Configuring site-to-site VPN access
http://technet.microsoft.com/en-us/library/bb838949.aspx
More about how to deploy the RRAS on TMG please post in the TMG forum:
Forefront support forum
http://social.technet.microsoft.com/Forums/forefront/en-us/home?category=forefront
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

ACS Database Replication over VPN with overlapping Network Addresses

We currently have two co-locations each situated in different provinces. We have two ACS servers which we want to deploy at each co-location. All our network equipments are behind PIX/ASA devices. Getting them to replicate over the VPN should be easy but in our case we have overlapping Network Addresses at both ends of the tunnels.
As per Cisco data does not transit a NAT device when the two Cisco Secure ACS servers communicate and a successful database replication can occur only if the secondary ACS server perceives no change in the IP header or content of the data it receives. So that means we will not be able to Implement NAT to achiever this.
Has any one of you faced this problem of replicating ACS Database over the VPN with overlapping Network Addresses and was anyone able to successfully solve this issue using a work around ?
All provided info and comments are greatly appreciated.

I can help with the 3005 setup if you decide to go that route.
You will need to add 2 network list entries under Configuration>Policy Management>Traffic Management>Network Lists.
You will need to configure a local and remote address. The local will be one of the public ip's for the site.(Provided by your ISP)The remote will be the device you are connecting to on the other end.
You will also need to add a Nat Lan to Lan rule under Configuration>Policy Management>Traffic Management>Nat>Lan to Lan.
Use a static Nat type. The rest will look similar to my example.
Source(Local address)Translated(Public Ip Address used in the network local list)Remote(Ip address of the device on the other end)
Now just create an Ipsec lan to lan tunnel. You will need to agree with the ISP on des type and auth type. Use you local and remote networks you created earlier.

VPN with Dynamic IP

Hi
I got One HQ and 3 Remote Offices ; all branches would need to access application,Email from HQ.
At HQ I got 3845 VPN Server ; 2MB Internet Link with 2 Public IP
AT Branch #1 I got 2801 Router ; 1MB Internet link with 2 Public IP
At Branch #2 I got 887 DSL Router ; 4MB DSL Internet with Dynamic Public Ip
At Branch #3 I got ASA 5510 ; 1MB DSL Internet with 2 Public IP
Site to Site VPN between HQ and Branch# 1 is working ok. What configuration I need on HQ and Branch #2 to setup the VPN
HQ Subnets
192.168.150.0 255.255.255.0 - Users
192.168.151.0 255.255.255.0 - Application Server
192.168.152.0 255.255.255.0 - Windows Server
192.168.153.0 255.255.255.0 - Linux Server
Branch#1 Subnet
192.168.200.0 255.255.255.0 - Users
Branch#2 subnet
192.168.203.0 255.255.255.0 - Users
Branch#3 Subnets
192.168.206.0 255.255.255.0 - Users
HQ_VPN_Configuration
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key 123456 address 5.5.5.5
crypto ipsec transform-set VPN_Con_BR1 esp-3des esp-md5-hmac
crypto map VPN 10 ipsec-isakmp
set peer 5.5.5.5
set transform-set VPN_Con_BR1
match address BR1
Interface tunnel 15
description GRE_Tunel_to_BR1
ip address 10.100.200.1 255.255.255.252
Tunnel source 10.10.12.2
Tunnel destination 172.16.32.2
Interface GigabitEthernet0/0
Description "Connected to BackBone"
ip address 10.10.12.2 255.255.255.248
Interface GigabitEthernet0/1
Description "Public IP Interface"
ip address 1.1.1.1 255.255.255.252
no ip redirect
crypto map VPN
Router ospf 2
network 10.10.12.2 0.0.0.0 area 0
network 10.100.200.1 0.0.0.0 area 0
ip router 0.0.0.0 0.0.0.0 1.1.1.1
ip access-list extended BR1
permit gre host 1.1.1.1 host 5.5.5.5

Looking for support on configuring HQ Router for VPN with Dynamic IP on remote end
I managed to built up Branch#2 configuration
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key 123456 address 1.1.1.1
crypto isakmp keepalive 300
crypto ipsec transform-set VPN esp-des esp-md5-hmac
crypto map vpn 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set VPN
match address 115
interface Ethernet0
ip address 192.168.203 255.255.255.0
ip nat inside
interface ATM0
bandwidth 4160
no ip address
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/50
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Dialer0
bandwidth 4160
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username ABCD password 7 ABCD
ppp ipcp address accept
crypto map VPN
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
access-list 100 deny   ip 192.168.203.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 100 deny   ip 192.168.203.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 100 deny   ip 192.168.203.0 0.0.0.255 192.168.153.0 0.0.0.255
access-list 115 Permit ip 192.168.203.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 115 Permit ip 192.168.203.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 115 Permit ip 192.168.203.0 0.0.0.255 192.168.153.0 0.0.0.255
dialer-list 1 protocol ip permit

ASA 5505 VPN with backup route

We are looking to set up a site-to-site VPN with a backup over a T1. We have a remote site with a 1841 router. This router has a PTP T1 back to a secondary location with a 2811. Due to location, the only option we had to get additional bandwidth was to have a cable modem installed. We want to set a site-to-site up to our primary location, with a backup route over the T1 in the event the cable modem goes down. We have an ASA 5505 at the remote location, and an ASA 5540 at the primary. In addition, we want to split the traffic across the two connections. Since the wireless controllers are anchored back to the secondary location, we want to send that traffic over the PTP T1 and the rest of the traffic over the VPN. We also need to have a backup route for the wireless traffic to send across the VPN in the event the T1 goes down.

Go to this link and scroll down to Site to Site VPN (L2L) with IOS and Site to Site VPN (L2L) with ASA, you can use the links example depicting your scenario requirements, where one end is dynamic and other static for Ipsec L2L IOS-to-ASA or ASA-to-IOS.
The best solution obiosly is having static IP addressing, make that clear with your client , but these exmaples are very good solution for your problem.
Keep in mind that the DHCP dynamic side will always be the initiator to bring up the tunnel , not the static side.
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
Regards

RV042 Site-to-Stie VPN with NAT on one side

Similar Messages

Maybe you are looking for