VPN s2s tunnel after PAT and NAT on non-cisco
hello!
I have cisco 1711. on LAN there is ZYXEL firewall. I have tried to establish s2s tunnel betwenn this LAN zyxel and other Zyxel on the other side with WAN.
cisco:
interface Serial0
description Polaczenie do Internetu$FW_OUTSIDE$
bandwidth 2048
ip address 80.50.92.xxx 255.255.255.252
ip nat pool PAT 213.77.105.248 213.77.105.252 prefix-length 29
ip nat inside source static 192.168.0.199 213.77.105.xxx extendable
ZYXEL is LAN 192.168.0.199 and NATed to 213.77.105.xxx
my qestion is:
is there posibility to establish s2s tunnel with host that in LAN has NATed to WAN address as above?
So you're saying that your configuration is :
Zyxel (LAN ) -> 1711 -> Zyxel (WAN ) and you want to establish a l2l VPN tunnel between the LAN and WAN Zyxel firewalls and you're NATting the LAN Zyxel firewall to a WAN address?
If yes, then your answer is : Yes you can do a VPN but using NAT-Traversal. It's a technology where the IKE ports of the initiator and the responder are changed from their default value of 500 to 4500 in order to support NAT devices working in-between the VPN. If your Zyxel firewall supports NAT-T then there's a good chance this will work
Similar Messages
-
Overlapping Networks with Tunnel GRE/IPsec and NAT
Has anyone experience with NATing on a GRE tunnel interface? I need to NAT between two private networks because they are overlapping. I tried to NAT directly on the tunnel interface.
e.g.
Ethernet 0/0
ip nat inside
Tunnel0 (GRE with CryptoMap)
ip nat outside
However I didn't succeed this way. What's the best way to achive my goal?Thanks. I already checked this paper. The problem is that it only talks about IPsec and not about GRE/Ipsec and nating on a Tunnel interface.
However I made some tests in the lab and it worked fine. So I went back to the customer-site and I had to reboot the small 836 to get it working.
What I learnedis : "ip nat outside" on a tunnel interface on a Cisco 836 is no problem. This is good news if you have to add partners companies with GRE/IPsec and they don't have IP ranges you like, so you just NAT them and give them IP addresses of your choice. -
Overlapping lan segments S2S tunnels (the other end)
Is there any way to policy nat incoming vpn S2S tunnel traffic? I know we can policy nat out going to send traffic over a tunnel as something else...
e.g.
my firewall
LAN segment 192.168.10.0/24
1st external firewall with s2s tunnel #1 back to my firewall
LAN 10.10.10.0/24
2nd external firewall with s2s tunnel #2 back to my firewall
LAN 10.10.10.0/24
if no changes can be made to the 1st and 2nd external firewall meaning we cannot get to at leat
one of them so they policy nat out as another subnet....is there any thing we can do
on the "my firewall" ? (any incoming nat policy options or routes over the tunnel peer ip or something or the other???)
and this would be cisco asa's, all three at least.
thank you!hi, i looked at the document and thank you for responding! my scenario would be a little bit different though wherein we have another pix say "pix-C" which in the pdf would also be using 10.1.0.0/24
we couldn't make a 2nd policy nat for pix-C. we couldnt have a 2nd source and destination ACL used for a 2nd policy map as the pix A would not know which access-list to use...
i know another option is public ip to public ip's for the site to site but that isnt always an option.
So going by the pdf you attached what if there was also a pix-C that is also using 10.1.0.0/24 and we cannot make configuration changes on pix-B or pix-C just only on pix-A ...is there anyway we can have the two site to sites A to B and A to C even though B and C both have 10.1.0.0/24 ? -
ASA5505 L2L VPN does not function after move and reconfiguration
I have an ASA5505 that had multiple VPNs to both Cisco5505's and other Vendor security appliances. The one in question that moved to a new IP address checks out on isa sa, ipsec sa and nat, yet there is no communication accross the tunnel. This behavior is consistent accross all remote sites. The remote sites function normally. Below is the output with some show commands.
ASA Version 8.4(4)
hostname RitterBars
names
name 67.231.37.42 RitterLAB-ASA
name 67.231.37.45 RitterLAB-LB-WAN1
name 64.233.131.94 RitterLAB-LB-WAN3
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
description Port 7 on 9108
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
no forward interface Vlan2
nameif CoreNetwork
security-level 0
ip address 172.20.10.22 255.255.255.128
boot system disk0:/asa844-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CST recurring
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.9.0
subnet 192.168.9.0 255.255.255.0
object network obj-192.168.85.0
subnet 192.168.85.0 255.255.255.0
object network obj-10.200.1.0
subnet 10.200.1.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.1.2
host 192.168.1.2
object service obj-tcp-source-eq-22
service tcp source eq ssh
object service obj-tcp-source-eq-5922
service tcp source eq 5922
object network obj-192.168.1.10
host 192.168.1.10
object service obj-tcp-source-eq-5125
service tcp source eq 5125
object service obj-tcp-source-eq-80
service tcp source eq www
object network obj-192.168.1.119
host 192.168.1.119
object service obj-udp-source-eq-69
service udp source eq tftp
object network obj-192.168.1.51
host 192.168.1.51
object service obj-tcp-source-eq-443
service tcp source eq https
object service obj-tcp-source-eq-5980
service tcp source eq 5980
object network obj-192.168.1.114
host 192.168.1.114
object network obj-96.43.39.27
host 96.43.39.27
object network obj-xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object-group network Inside
network-object 192.168.1.0 255.255.255.0
access-list split-tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 10.200.1.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 10.200.1.0 255.255.255.0
access-list Barracudalab extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inat extended permit ip 192.168.1.0 255.255.255.0 any
access-list vnat extended permit ip 192.168.1.0 255.255.255.0 host 216.163.29.244
access-list out2in extended permit tcp host 64.233.128.6 host 192.168.1.2 eq ssh
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.2 eq ssh
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.10 eq 5125
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.10 eq www
access-list out2in extended permit udp 64.233.128.0 255.255.255.0 host 192.168.1.119 eq tftp
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.51 eq https
access-list out2in extended permit ip 64.233.128.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list out2in extended permit tcp any host 192.168.1.10 eq 5125
access-list out2in extended permit tcp any host 192.168.1.10 eq www
access-list out2in extended permit tcp any 192.168.1.0 255.255.255.0 eq ftp
access-list out2in extended permit tcp any 192.168.1.0 255.255.255.0 eq ftp-data
access-list out2in extended permit udp any host 192.168.1.119 eq tftp
access-list out2in extended permit tcp any host 192.168.1.51 eq https
access-list out2in extended permit icmp any any
pager lines 24
logging console alerts
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu CoreNetwork 1500
ip local pool vpn-pool 192.168.9.10-192.168.9.250
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.9.0 obj-192.168.9.0 no-proxy-arp
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.85.0 obj-192.168.85.0 no-proxy-arp
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.200.1.0 obj-10.200.1.0 no-proxy-arp
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp
nat (inside,outside) source static obj-192.168.1.2 interface service obj-tcp-source-eq-22 obj-tcp-source-eq-5922
nat (inside,outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-5125 obj-tcp-source-eq-5125
nat (inside,outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-80 obj-tcp-source-eq-80
nat (inside,outside) source static obj-192.168.1.119 interface service obj-udp-source-eq-69 obj-udp-source-eq-69
nat (inside,outside) source static obj-192.168.1.51 interface service obj-tcp-source-eq-443 obj-tcp-source-eq-5980
nat (inside,outside) source static obj-192.168.1.114 obj-96.43.39.27
nat (inside,CoreNetwork) source dynamic obj-192.168.1.0 interface destination static obj-xxx.xxx.xxx.xxx obj-xxx.xxx.xxx.xxx
nat (inside,outside) source dynamic Inside interface
nat (inside,outside) after-auto source dynamic any interface
access-group out2in in interface outside
route CoreNetwork 172.20.30.0 255.255.255.248 172.20.10.1 1
route CoreNetwork 216.163.29.244 255.255.255.255 172.20.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set psset esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map samap 1 match address VPN2LAB
crypto map samap 1 set peer RitterLAB-ASA
crypto map samap 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map samap 2 match address Barracudalab
crypto map samap 2 set peer RitterLAB-LB-WAN1 RitterLAB-LB-WAN3
crypto map samap 2 set ikev1 transform-set ESP-3DES-SHA
crypto map samap interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 11
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd dns 64.233.128.10 64.233.128.11
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.150 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 66.187.233.4 source outside
ntp server 64.99.80.30 source outside
webvpn
username xxx.xxx.xxx.xxx password xxx.xxx.xxx.xxx encrypted privilege 15
username xxx.xxx.xxx.xxx attributes
vpn-group-policy WebVPNpolicy
username xxx.xxx.xxx.xxx password xxx.xxx.xxx.xxx encrypted privilege 15
username xxx.xxx.xxx.xxx attributes
vpn-group-policy WebVPNpolicy
tunnel-group 67.231.37.42 type ipsec-l2l
tunnel-group 67.231.37.42 ipsec-attributes
ikev1 pre-shared-key xxx.xxx.xxx.xxx
tunnel-group 67.231.37.45 type ipsec-l2l
tunnel-group 67.231.37.45 ipsec-attributes
ikev1 pre-shared-key xxx.xxx.xxx.xxx
tunnel-group 64.233.131.94 type ipsec-l2l
tunnel-group 64.233.131.94 ipsec-attributes
ikev1 pre-shared-key xxx.xxx.xxx.xxx
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect ip-options
inspect tftp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bcdf7281cbf323ff6af7457149529a5b
: end
RitterBars# sh isa sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 67.231.37.45
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 67.231.37.42
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
RitterBars# sh ipsec sa
interface: outside
Crypto map tag: samap, seq num: 1, local addr: 96.43.41.168
access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.85.0/255.255.255.0/0/0)
current_peer: 67.231.37.42
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 96.43.41.168/0, remote crypto endpt.: 67.231.37.42/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 6F98A015
current inbound spi : 6DD466F0
inbound esp sas:
spi: 0x6DD466F0 (1842636528)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1122304, crypto-map: samap
sa timing: remaining key lifetime (kB/sec): (4374000/28182)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x6F98A015 (1872273429)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1122304, crypto-map: samap
sa timing: remaining key lifetime (kB/sec): (4373999/28182)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: samap, seq num: 2, local addr: 96.43.41.168
access-list Barracudalab extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 67.231.37.45
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 96.43.41.168/0, remote crypto endpt.: 67.231.37.45/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 51AF17EA
current inbound spi : 859BC586
inbound esp sas:
spi: 0x859BC586 (2241578374)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1118208, crypto-map: samap
sa timing: remaining key lifetime (sec): 28152
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x51AF17EA (1370429418)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1118208, crypto-map: samap
sa timing: remaining key lifetime (sec): 28152
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
RitterBars# sh nat int inside
Manual NAT Policies (Section 1)
1 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.9.0 obj-192.168.9.0 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
2 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.85.0 obj-192.168.85.0 no-proxy-arp
translate_hits = 18, untranslate_hits = 0
3 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.200.1.0 obj-10.200.1.0 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
4 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source static obj-192.168.1.2 interface service obj-tcp-source-eq-22 obj-tcp-source-eq-5922
translate_hits = 0, untranslate_hits = 0
6 (inside) to (outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-5125 obj-tcp-source-eq-5125
translate_hits = 0, untranslate_hits = 9094
7 (inside) to (outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-80 obj-tcp-source-eq-80
translate_hits = 0, untranslate_hits = 126
8 (inside) to (outside) source static obj-192.168.1.119 interface service obj-udp-source-eq-69 obj-udp-source-eq-69
translate_hits = 0, untranslate_hits = 0
9 (inside) to (outside) source static obj-192.168.1.51 interface service obj-tcp-source-eq-443 obj-tcp-source-eq-5980
translate_hits = 0, untranslate_hits = 195
10 (inside) to (outside) source static obj-192.168.1.114 obj-96.43.39.27
translate_hits = 0, untranslate_hits = 0
11 (inside) to (CoreNetwork) source dynamic obj-192.168.1.0 interface destination static obj-216.163.29.244 obj-216.163.29.244
translate_hits = 107, untranslate_hits = 0
12 (inside) to (outside) source dynamic Inside interface
translate_hits = 35387, untranslate_hits = 2940
Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface
translate_hits = 291, untranslate_hits = 78I just recently got the triple play package from verizon with fios too. And of course the Actiontec is total crap. The very first night it rebooted over and over again. What good is an internet connection you can't use right... Anyways, I have a cisco 831 that i use for a VPN to work, and so, I decided to put that up front.
Anyways, had the same problem. First I setup my router to bridge the connetion from the Actiontec to my router. So it goes Broadband Moca -> Actiontec LAN -(eth cable)-> Cisco WAN port. This worked great, except now my vod didn't work. So then I found this article....
http://www.dslreports.com/forum/r19559467-How-To-MI424WR-Network-Bridge-working-FIOS-TV
It was genius, add a second bridge from the Cisco LAN -(eth cable)-> Actiontec WAN -> local Moca. And then put DHCP relay on the bridge. Everything worked again, hooray. then I added an access list, and there went my vod again.
So then I spent about two hours turning ports on and off and such, finally I figured it out. You'll need to allow inbound established tcp connections that internal hosts create. This will get back your guide and allow the vod menu to work again. then you have to allow inbound connections on udp port 21310. I applied it and lo and behold vod is back. Now my only problem is that the 831 only has a 10 Mb/s ethernet WAN, so I can't get HD VOD but ah well. I'll upgrade one of these days to an 851 or 871.
Here's what the access lists should look like in IOS:
permit tcp any host (your external IP address) established
permit udp any host (your external IP address) eq 21310
probably is going to be a little bit different since you have an ASA but I think you get the idea. -
Setting up Site-to-Site VPN and nat on IOS
I have a senario I am looking to setup. I have a Cisco 3825 router that handles roughly 50 site-to-site VPN's. I have a particular VPN where I would like to nat (actually overload) off an interface for a specific VPN site-to-site tunnel. I know when you are doing nat you of course have an inside and an outside interface which I do on the router but how would you overload (pat) on an interface for just a specific VPN tunnel? Say you wanted to overload your entire internal supernet to a single private (RFC 1918) interface addess? Typically the outside interface (nat outside) what you would overload off of has a public ip address, but in this case you want to use a private RFC 1918 address as the source of the overload interface?
Any help is appreciated.hi ,
did you think of using a normal statment and use a route map with that statment that only permit the VPN traffic to be natted using that statment and deny any other translation , and for the crypto access-list you should use the source as the pattted ip address and the destination as the the remote proxies .
regards. -
Cisco ASA Site to Site IPSEC VPN and NAT question
Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni -
Remote Access VPN and NAT inside interface
Hi everyone,
I have configured Remote VPN access.
Inside interface and vpn pool is 10.0.0.0 subnet.
ASA inside interface has NAT exempt as per config below
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_25
subnet 10.0.0.0 255.255.255.128
Also i have ASA inside interface connected to R1 as below
R1 ---10.0.0.2------------inside int IP 10.0.0.1--------ASA
R1 has loopback int 192.168.50.1 and ASA has static route to it.
When i connect to remote access vpn i can ping the IP 192.168.50.1 from My pc which is connected to outside interface of ASA.
This ping works fine.
Mar 04 2014 21:58:27: %ASA-6-302020: Built inbound ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user )
Mar 04 2014 21:58:28: %ASA-6-302021: Teardown ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user) Mar 04 2014 21:58:27:
Need to understand how this ping works without exempting 192.168.50.0 from natiing
or
how does nat work for above ping from 10.0.0.52 VPN user PC IP to loopback interface of R1 in regards to NATing?
Regards
MaheshHi Jouni,
IP address to PC is 10.0.0.52 ---------Assigned to Client PC.
Leting you know that i have removed the NAT below config from inside to outside interface
ASA inside interface has NAT exempt as per config below
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_25
subnet 10.0.0.0 255.255.255.128
Still ping works fine from VPN client PC to IP 192.168.50.1
Packet tracer output
ASA1# packet-tracer input outside icmp 10.0.0.52 8 0 192.168.50.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.50.1 255.255.255.255 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any host 192.168.50.1 log
access-list outside_access_in remark Allow Ping to Loopback IP of R1 Which is inside Network of ASA1
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I can ping from PC command prompt to IP 192.168.50.1 fine.
Here is second packet tracer
ASA1# packet-tracer input inside icmp 192.168.50.1 8 0 8.8.8.8
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 18033, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
So question is how ping from outside is working without nat exempt from inside to outside?
So does second packet tracer proves that i have no NAT config from loopback to outside and ping works because i have NO NAT configured?
Regards
Mahesh
Message was edited by: mahesh parmar -
Question on best practice for NAT/PAT and client access to firewall IP
Imagine that I have this scenario:
Client(IP=192.168.1.1/24)--[CiscoL2 switch]--Router--CiscoL2Switch----F5 Firewall IP=10.10.10.1/24 (only one NIC, there is not outbound and inbound NIC configuration on this F5 firewall)
One of my users is complaining about the following:
When clients receive traffic from the F5 firewall (apparently the firewall is doing PAT not NAT, the client see IP address 10.10.10.1.
Do you see this is a problem? Should I make another IP address range available and do NAT properly so that clients will not see the firewall IP address? I don't see this situation is a problem but please let me know if I am wrong.Hi,
Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for the local and global addresses.
This feature lets you identify the same global address across many different static statements, so long as the port is different for each statement (you CANNOT use the same global address for multiple static NAT statements).
For example, if you want to provide a single address for global users to access FTP, HTTP, and SMTP, but these are all actually different servers on the local network, you can specify static PAT statements for each server that uses the same global IP address, but different ports
And for PAT you cannot use the same pair of local and global address in multiple static statements between the same two interfaces.
Regards
Bjornarsb -
Router-to-PIX VPN Tunnels fade in and out
Does anyone know of any problems with Router-to-PIX vpn tunnels? For a number of months we've had about 35 831Routers vpn'd into our PIX515 and the tunnel has been stable. Recently, however, the tunnel has been dropping out at a number of sites.
When the tunnel goes down the users still have access to their local internet but obviously not to the shared network resources of the vpn tunnel. In most cases the tunnel can be re-established at each location simply by rebooting the router. Only problem with that is that some of the locations are having to reboot their 831Router more than two or three times a day.
I've added keepalive statements into theconfig of the routers and the PIX. Specifically I've added these two lines to the routers:
Crypto isakmp keepalive 10 5
crypto ipsec secutity-association lifetime seconds 28800
I added a similar isakmp keepalive to the PIX. Any suggestions would be appreciated as some of my users are getting frustrated.
Thank you,
ChrisTry using the debug commands and see if you are getting any error messages that might give us some idea.
-
VPN Client Tunnel Connection Pix506E
Situation: Trying to connect to PiX 506e for vpn client tunnel. The tunnel shows the following when using the sho isa sa command:
qm_idle 0 0
then after about 3-4 minutes the client workstaiton is receiving error: Reason 412: the remote peer is no longer responding
The same workstation on the same internet connection from the home office is able to connect to an ASA 5505 vpn client with no problems.
I have enabled: nat traversal on the pix506e and tried serveral options on the client side.
The Pix506E also has site to site vpn tunnels that are working without any problems.
Pix Software version: 6.3.5
Any ideas?Try to connect from a different internet connection and see if you are having the same issue.
Also, turn on the logs on the vpn client and see why it's failing. -
Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall
Hi,
I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
3
Nov 21 2012
07:11:09
713061
Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5
Nov 21 2012
07:11:09
713119
Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
Here is from the syntax: show crypto isakmp sa
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 195.149.180.254
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
current_peer:195.149.180.254
#pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
#pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: E715B315
inbound esp sas:
spi: 0xFAC769EB (4207372779)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38738/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE715B315 (3876958997)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38673/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
And here are my Accesslists and vpn site to site config:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 84600
crypto isakmp nat-traversal 40
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CustomerCryptoMap 10 match address VPN_Tunnel
crypto map CustomerCryptoMap 10 set pfs group5
crypto map CustomerCryptoMap 10 set peer 195.149.180.254
crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
crypto map CustomerCryptoMap interface outside
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
nat (inside) 0 access-list nonat
All these remote networks are at the Main Site Clavister Firewall.
Best Regards
MichaelHi,
I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
Maybe you could try to change the Encryption Domain configurations a bit and test it then.
You could also maybe take some debugs on the Phase2 and see if you get anymore hints as to what could be the problem when only one network is working for the L2L VPN.
- Jouni -
IPsec VPN not working after upgrade to 8.4.7
Hi
Here is some small digram of my firewalls
LAN ---- FW(A) ----- S2S Tunnel ------- FW (B)------------------ LAN
| |
--------- Cisco VPN need to be run -------------
I used to run that VPN for more than three years with no issue, but after upgrading FW (A) from 8.2.5 to 8.4.7 I got below error msg
Group = XXXX, Username = XXXX, IP = x..x.x.x, Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map when peer found in previous map entry.
Please does any body have any clue about it and I solve that?
MikeHello Mike,
Basically, in older versions, when you hit a static crypto map and you did not match that static crypto map completely the connection continues until the dynamic crypto map. For that reason you could connect your IPSec clients before. A bug was opened about this vulnerability.
CSCuc75090 Bug Details
Crypto IPSec SA's are created by dynamic crypto map for static peers
Symptom:
When a static VPN peer adds any traffic to the crypto ACL, an SA is built even though the IP pair is not allowed in the crypto acl at the main side. Those SA's are eventually matched and setup by the dynamic crypto map instance.
Conditions:
This was a intended design since day one that enabled customers to fall through in case of static crypto map didn't provide a needed crypto services.
The SA need to be initiated from a statically configured peer and a dynamic crypto map instance must be configured on the receiving end.
Workaround:
N/A
Meaning, if you are on the local network and would like to reach any host on the remote site you could use the L2L tunnel that is already established with the remote peer. However, if you are on any other external network you will need to use the VPN client to connect to the sites.
I hope this helps.
Luis. -
VPN not working after adding subinterface - ASA 5510
Hello,
Currently I want to add a second lan (vlan) in a customers network. The new network will be for a wireless infrastructure.
There is also VPN Configured on the ASA - One with L2TP for Windows Clients and an IPsec for Cisco Clients.
Former we only had one outside (Eth0/0) and one inside interface (Eth0/1) on the ASA.
Now I want to use the Eth0/2 with subinterfaces, so that we will be flexible for future, when deploying more vlans.
But now, when i turn the first subinterface Eth0/2.2 to no-shut the VPN Connections does not work any more.
Bulding up the VPN connection works, but it seems that the traffic is not tunneled. (I checked this, because tracert to an internal adress goes to the internet)
Below there is my config, i don't know whats wrong. I think split-tunnel is configured correctly (because it works when i delete eth0/2.2)
TREV is the network of this location.
Company1,2,3 are remote locations.
: Saved
ASA Version 8.2(5)
hostname XXXXXXX
domain-name domain.lan
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
names
name 192.168.100.0 TREV
name 192.168.200.0 COMPANY3
name XXXXXXXX Company1
name 192.168.1.0 Company2
name XXXXXXXXX GCT
name XXXXXXXX BMD
name 192.168.110.0 Wireless
name 192.168.201.0 COMPANY3-VPN
name 192.168.11.0 COMPANY2-VPN
name 192.168.101.0 TREV-VPN
interface Ethernet0/0
description Outside
nameif outside
security-level 0
ip address XXXXX 255.255.255.248
interface Ethernet0/1
description Inside
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Ethernet0/2
description Trunk Interface
no nameif
no security-level
no ip address
interface Ethernet0/2.2
description Wireless
vlan 110
nameif wlan
security-level 100
ip address 192.168.110.1 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.100.10
domain-name domain.lan
dns server-group COMPANY2
name-server 192.168.1.16
domain-name domain.local
dns server-group COMPANY3
name-server 192.168.200.1
domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network VPN_Networks
network-object COMPANY3 255.255.255.0
network-object COMPANY3-VPN 255.255.255.0
network-object COMPANY2 255.255.255.0
network-object COMPANY2-VPN 255.255.255.0
network-object TREV 255.255.255.0
network-object TREV-VPN 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object COMPANY2 255.255.255.0
network-object COMPANY3 255.255.255.0
network-object COMPANY3-VPN 255.255.255.0
network-object COMPANY2-VPN 255.255.255.0
network-object Wireless 255.255.255.0
access-list INCOMING remark *** ICMP Erlauben ***
access-list INCOMING extended permit icmp any any echo-reply
access-list INCOMING extended permit icmp any any time-exceeded
access-list INCOMING extended permit icmp any any unreachable
access-list INCOMING extended permit icmp any any parameter-problem
access-list INCOMING extended permit icmp any any source-quench
access-list INCOMING extended permit icmp any any echo
access-list INCOMING remark *** Wartung Company1 ***
access-list INCOMING remark *** Wartung BMD ***
access-list INCOMING remark *** Mail ***
access-list ......
access-list Trev-nat0 remark *** NoNat ***
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group VPN_Networks
access-list Trev-nat0 extended permit ip object-group VPN_Networks TREV 255.255.255.0
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list DefaultRAGroup_splitTunnelAcl standard permit TREV 255.255.255.0
access-list outside_1_cryptomap extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_debug extended permit tcp any host 192.168.100.5
access-list inside_debug extended permit tcp any TREV 255.255.255.0
access-list Wireless-nat0 extended permit ip Wireless 255.255.255.0 TREV 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu wlan 1500
ip local pool VPN-Pool 192.168.101.1-192.168.101.31 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 XXXXXXXXXXX
nat (inside) 0 access-list Trev-nat0
nat (inside) 2 192.168.100.25 255.255.255.255
nat (inside) 2 192.168.100.250 255.255.255.255
nat (inside) 1 TREV 255.255.255.0
nat (wlan) 0 access-list Wireless-nat0
static (inside,outside) tcp interface 444 192.168.100.10 444 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.10 https netmask 255.255.255.255
.... a lot of statics..............
static (inside,outside) tcp XXXXXXXXXX pop3 192.168.100.25 pop3 netmask 255.255.255.255
static (inside,outside) tcp XXXXXXXXXX 995 192.168.100.25 995 netmask 255.255.255.255
access-group INCOMING in interface outside
route outside 0.0.0.0 0.0.0.0 XXXXXXXXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.100.10
timeout 5
key *****
radius-common-pw *****
aaa-server RADIUS2 protocol radius
aaa-server RADIUS2 (inside) host 192.168.100.10
key *****
radius-common-pw *****
aaa authentication ssh console LOCAL
http server enable 4430
http COMPANY2 255.255.255.0 management
http TREV 255.255.255.0 inside
http Company1 255.255.255.224 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_SHA mode transport
crypto ipsec transform-set TRANS_ESP_AES_256_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_256_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_AES_128_SHA TRANS_ESP_AES_256_SHA TRANS_ESP_3DES_MD5 TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 178.188.202.78
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 5
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh bit-Studio 255.255.255.224 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh TREV 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcprelay server 192.168.100.10 inside
dhcprelay enable wlan
dhcprelay setroute wlan
dhcprelay timeout 90
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.100.10
dns-server value 192.168.100.10
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value domain.lan
intercept-dhcp enable
group-policy IPsecVPN internal
group-policy IPsecVPN attributes
wins-server value 192.168.100.10
dns-server value 192.168.100.10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value domain.lan
username admin password XXXXXXXXXX encrypted privilege 15
username vpntest password XXXXXXXXX nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-Pool
authentication-server-group RADIUS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group XXXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXXXXXX ipsec-attributes
pre-shared-key *****
tunnel-group IPsecVPN type remote-access
tunnel-group IPsecVPN general-attributes
address-pool VPN-Pool
authentication-server-group RADIUS
default-group-policy IPsecVPN
tunnel-group IPsecVPN ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f2041a5902e945a130fe25fbb8e5d368
: endHi,
First I would go through all the NAT0/NAT Exempt rules you have for VPNs. They seem to contain useless lines where either destination or source network isnt correct.
Lets look at the NAT0 ACL you have line by line
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group VPN_Networks
The above access-list has the correct source network configured Yet it has its destination addresses configured with an "object-group" which contains your LAN network
You should probably remove the LAN network from the object-group VPN_Networks
access-list Trev-nat0 extended permit ip object-group VPN_Networks TREV 255.255.255.0
To my understanding the above ACL line doesnt serve any purpose as the networks configured under VPN_Networks arent located behind your "inside" interface (Other than the one I'm asking to remove from the object-group)
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
The above ACL overlap with the very first ACL lines configurations and needlesly makes the configuration harder to read. It also contains the Wireless network which it shouldnt
I would suggest simplifying your NAT0 configurations for example in the following way (change the names if you want if youre going to try it out)
object-group network TREV-LAN
description Local networks
network-object 192.168.100.0 255.255.255.0
object-group network VPN-NETWORKS
description Remote networks
network-object 192.168.200.0 255.255.255.0
network-object 192.168.201.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 192.168.101.0 255.255.255.0
access-list TREV-LAN-NAT0 remark NAT0 / NAT Exempt for VPN Connections
access-list TREV-LAN-NAT0 permit ip object-group TREV-LAN object-group VPN-NETWORKS
With the above configurations
You have all NAT0 with a single line of access-list configuration (not counting the remark line as it doesnt affect anything)
If there is changes in the VPN pools, VPN remote networks or LAN networks you can simply change them under the configured object-groups instead of touching the actual ACL. There might be situations where you should change the ACL from the above if there is some bigger changes to network
So as I said, I would start with changing the above NAT configurations and then test the VPN again. If it doesnt work we will have to check some other things out.
- Jouni -
Verification on the asa 8.4 5505 about PAT and port forwarding.
hi all
ihae topology as blow :
inside------------eth0/1-------asa---eth0/7---------outside-------------------internet
my goal is
i want to make pat of inside network (10.66.12.0/24) with outside interface when it request the internet
also ,
i need port forwaridng to following hosts :
10.66.12.122 to 3389
10.66.12.249 to http
10.66.12.249 to https
10.66.12.249 to citrix
=============================================================
just m i need somebody to check my config it is correct
=============================================================
i have asda 5505 with :
ASAAAAA(config)# sh version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "disk0:/asa842-k8.bin"
Config file at boot was "startup-config"
ASAAAAA up 1 hour 32 mins
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Int: Internal-Data0/0 : address is d48c.b597.ce35, irq 11
1: Ext: Ethernet0/0 : address is d48c.b597.ce2d, irq 255
2: Ext: Ethernet0/1 : address is d48c.b597.ce2e, irq 255
3: Ext: Ethernet0/2 : address is d48c.b597.ce2f, irq 255
4: Ext: Ethernet0/3 : address is d48c.b597.ce30, irq 255
5: Ext: Ethernet0/4 : address is d48c.b597.ce31, irq 255
6: Ext: Ethernet0/5 : address is d48c.b597.ce32, irq 255
7: Ext: Ethernet0/6 : address is d48c.b597.ce33, irq 255
8: Ext: Ethernet0/7 : address is d48c.b597.ce34, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 50 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
Serial Number: JMX162740GP
Running Permanent Activation Key: 0x6801f547 0xe81c57c4 0x20f339f4 0xaaf48040 0x
480e2fbc
Configuration register is 0x100003
Configuration last modified by enable_15 at 23:58:15.999 UTC Wed Jan 22 2014
ASAAAAA(config)# sh run
: Saved
ASA Version 8.4(2)
hostname ASAAAAA
enable password ffffCCSH encrypted
passwd 2KFfffff2KYOU encrypted
names
interface Ethernet0/0
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 2
interface Vlan1
nameif ins
security-level 100
ip address 10.66.12.1 255.255.255.0
interface Vlan2
nameif outside
security-level 50
ip address x.x.55.34 255.255.255.248
boot system disk0:/asa842-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network localsubnet
subnet 10.66.12.0 255.255.255.0
description localsubnet
object network HTTP-Host
host 10.66.12.249
description web server
object network HTTPS-HOST
host 10.66.12.249
description Https
object network RDP-Host
host 10.66.12.122
description RDP host
object network citrix-host
host 10.66.12.249
description citrix
object service rdp
service tcp destination eq 3389
object service https
service tcp destination eq https
object service citrix
service tcp destination eq 2598
object service http
service tcp destination eq www
object-group network RDP-REDIRECT
object-group network HTTP-REDIRECT
object-group network HTTPS-REDIRECT
object-group network CITRIX-ICA-HDX-REDIRECTION
object-group network CITRIX-ICA-SESSION-RELIABILITY-REDIRECTION
object-group service CITRIX-ICA-HDX
object-group service CITRIX-SR
object-group service RDP
object-group network MY-insideNET
network-object 10.66.12.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object object citrix
service-object object http
service-object object https
service-object object rdp
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 a
ny interface outside
pager lines 24
mtu ins 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (ins,outside) source static RDP-Host interface service rdp rdp
nat (ins,outside) source static HTTP-Host interface service http http
nat (ins,outside) source static citrix-host interface service citrix citrix
object network obj_any
nat (ins,outside) dynamic obj-0.0.0.0
object network localsubnet
nat (ins,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.55.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.66.12.0 255.255.255.0 ins
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ADMIN password 5iEuCUW0P3ThngqY encrypted privilege 15
username cisco password eT0.bmvcLOAQcNEL encrypted privilege 15
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:65c9b8c35749959d1159e162ff106166
: end
=======================================================
i configured PAT , PORTFORWARD and ACCESS RULES
just want to mae verification to my work
regardsHi,
Dont think I can really give you an answer but thought I'd write anyway.
It does seem on the basis of the documentation of the ASA (8.4) that with Twice NAT you wont be able to do any modifications to the DNS replies.
Heres one quote from Configuration Guide
Gonfiguring Network Address Translation -> Information About NAT -> DNS and NAT
If you configure a twice NAT rule, you cannot configure DNS modification if you specify the sourceaddress as well as the destination address. These kinds of rules can potentially have a differenttranslation for a single address when going to A vs. B. Therefore, the ASA cannot accurately match theIP address inside the DNS reply to the correct twice NAT rule; the DNS reply does not containinformation about which source/destination address combination was in the packet that prompted theDNS request.
So if I'm not totally wrong I guess your options might be to either
Start doing changes to the local DNS server directly?
Separate the remote overlapping network from your current firewall with another firewall device?
I dont know the whole setup so this might be impossible
Thinking that if the NAT for the remote overlapping network was done on another firewall it could do the DNS reply changes before they arrived on your ASA from the remote DNS server?
I have not really had to tackle such a situation before. I most commonly run into situations where a customer has public IP configured with 1:1 Static NAT and there is no DNS parameter in the Static NAT configuration while the customer tries to use the DNS name to connect to their local server.
Just some of my thoughts. Maybe someone else might have more expirience with same type of situations.
- Jouni -
Remote access VPN to server from outside and server reach internet on the same time
Dear,
I have problem in my ASA 5515-X , when i make Remote access VPN to servers in inside zone the internet connection disconnected in the servers, or when i have internet in servers, the remote access cant reach servers.
the configuration for server as static NAT for each server, and the connection of VPN is to another public IP but in the same subnet of NAT ip.
server1 : 10.10.10.2 nat to 5.6.7.8
server2: 10.10.10.3 nat to 5.6.7.9
server3: 10.10.10.4 nat to 5.6.7.10
VPN connection to 5.6.7.12
is there any solution for this senario, remote vpn to servers and the same time the servers have internet readability for download updates .. etcHi,
So it seems that the problem is with lacking a NAT0 configuration
You could modify the below configuration to match your networks/IP addresses used. In the below configuration I presume that you have interfaces "inside" and "outside".
object network SERVER-NETWORK
subnet <server network address> <network mask>
object network VPN-POOL
subnet <vpn pool network address> <network mask>
nat (inside,outside) 1 source static SERVER-NETWORK SERVER-NETWORK destination static VPN-POOL VPN-POOL
Just insert the correct address related information and change the "object" and interface names if required.
This configuration will tell the ASA that no NAT will be performed for traffic between the VPN-POOL and SERVER-NETWORK. The NAT configuration is bidirectional. With this configuration the Static NAT configurations will continue to work for the servers Internet traffic and this NAT0 configuration will be applied only to the VPN Client traffic.
Hope this helps :)
- Jouni
Maybe you are looking for
-
What's the best way to get user testing of our app (we're based in the UK)
Hi all. We've just developed our first app for Palm and would really like to get some feedback from Palm users (our app allows users to take photos and send them as real printed postcards. We'd be very happy to give users free postcards in exchange f
-
Time Capsule as Additional Wireless Network and Backup
I have just purchased a 500Gb Time Capsule and I am seeking some assistance in setting it up. All this would not be a problem is Apple had just included a modem in their base stations like most other ADSL wireless routers, but hey ho! So my setup the
-
Format a 3TB HD using Disk Utility with Yosemite?
Can a 2014 Macbook Pro running Yosemite format a 3TB HD intended for an external case using disk utility? I've had issues in the past with a 2010 Macbook Pro and am hoping its now not an issue.
-
Creating a screen shot field in FormsCentral
Can anyone tell me how I might create a field in my form for the form filler to insert a screen shot? I see there is a photo option, but I need THEM to paste in their screen shot.
-
Arrow Key issue Mac Pro 15 inch
I own Mac Pro 15 inch running with Lion OS, for some days it stop responding to Arrow keys. However arrow key are working upto certain extent with the combination of command and control keys.How I can get this issue fixed?