An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.
One of a set of tools we're offering as a way of saying thank you for being a part of the community.
COURSE of the MONTH
9 days, left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
How to Configure Cisco ASA 5505 to support VPN with 1-to-1 NAT
Posted on 2010-09-09
I have a Cisco ASA 5505 that I need to configure for a VPN (LAN-to-LAN) connection between a local office and a remote facility. The problem is that the remote facility is requiring me to use a different IP address for the local server, so I am assuming NAT needs to be involved.
Basically, a single local server (LOCAL_SERVER) needs bi-directional communicate with 3 remote servers (REMOTE_SERVER1, 2, 3). The remote servers need to "think" they are talking with a translated address (LOCAL_SERVER_NAT).
My present configuration is not working and I don't trust that I have the config correct. Can someone please examine the config and tell me what needs to change?
TIA
--------------------------
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name XXXXX
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
names
name 192.168.1.2 LOCAL_SERVER description Local server that will be communicating via VPN
name 10.9.203.252 REMOTE_SERVER1 description Remote server to communicate via VPN
name 10.9.203.253 REMOTE_SERVER2 description Remote server to communicate via VPN
name 10.9.195.46 REMOTE_SERVER3 description Remote server to communicate via VPN
name 172.16.21.21 LOCAL_SERVER_NAT description Translated IP for LOCAL_SERVER to communicate via VPN
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxx.local
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service MedTrak tcp
description MedTrak
port-object eq 9091
object-group service 3390 tcp
description 3390
port-object eq 3390
object-group network REMOTE_SERVERS
description Remote servers involved in VPN communications
network-object host REMOTE_SERVER3
network-object host REMOTE_SERVER1
network-object host REMOTE_SERVER2
access-list outside_access_in extended permit tcp any host dbServer eq 3389
access-list outside_access_in extended permit tcp any host dbServer eq 9091
access-list outside_access_in extended permit tcp any host dbServer eq 3390
access-list outside_in extended permit tcp any interface outside eq 3389
access-list outside_in extended permit tcp any interface outside eq 9091
access-list inside_nat_static extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 dbServer 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 9091 dbServer 9091 netmask 255.255.255.255
static (inside,outside) LOCAL_SERVER_NAT access-list inside_nat_static
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.95.237.130 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address inside_nat_static
crypto map outside_map 1 set peer 192.xx.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.20
dhcpd dns dbServer interface inside
dhcpd wins dbServer interface inside
dhcpd lease 1048575 interface inside
dhcpd ping_timeout 900 interface inside
dhcpd domain xxxxx.local interface inside
dhcpd enable inside
!
tunnel-group 192.xx.xx.xx type ipsec-l2l
tunnel-group 192.xx.xx.xx ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:dfXXXXXXXXX
: end
Basically, a single local server (LOCAL_SERVER) needs bi-directional communicate with 3 remote servers (REMOTE_SERVER1, 2, 3). The remote servers need to "think" they are talking with a translated address (LOCAL_SERVER_NAT).
My present configuration is not working and I don't trust that I have the config correct. Can someone please examine the config and tell me what needs to change?
TIA
--------------------------
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name XXXXX
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
names
name 192.168.1.2 LOCAL_SERVER description Local server that will be communicating via VPN
name 10.9.203.252 REMOTE_SERVER1 description Remote server to communicate via VPN
name 10.9.203.253 REMOTE_SERVER2 description Remote server to communicate via VPN
name 10.9.195.46 REMOTE_SERVER3 description Remote server to communicate via VPN
name 172.16.21.21 LOCAL_SERVER_NAT description Translated IP for LOCAL_SERVER to communicate via VPN
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxx.local
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service MedTrak tcp
description MedTrak
port-object eq 9091
object-group service 3390 tcp
description 3390
port-object eq 3390
object-group network REMOTE_SERVERS
description Remote servers involved in VPN communications
network-object host REMOTE_SERVER3
network-object host REMOTE_SERVER1
network-object host REMOTE_SERVER2
access-list outside_access_in extended permit tcp any host dbServer eq 3389
access-list outside_access_in extended permit tcp any host dbServer eq 9091
access-list outside_access_in extended permit tcp any host dbServer eq 3390
access-list outside_in extended permit tcp any interface outside eq 3389
access-list outside_in extended permit tcp any interface outside eq 9091
access-list inside_nat_static extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 dbServer 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 9091 dbServer 9091 netmask 255.255.255.255
static (inside,outside) LOCAL_SERVER_NAT access-list inside_nat_static
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.95.237.130 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address inside_nat_static
crypto map outside_map 1 set peer 192.xx.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.20
dhcpd dns dbServer interface inside
dhcpd wins dbServer interface inside
dhcpd lease 1048575 interface inside
dhcpd ping_timeout 900 interface inside
dhcpd domain xxxxx.local interface inside
dhcpd enable inside
!
tunnel-group 192.xx.xx.xx type ipsec-l2l
tunnel-group 192.xx.xx.xx ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:dfXXXXXXXXX
: end
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
3
4 Comments
change the below acl
access-list inside_nat_static extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS
to
access-list inside_nat_static extended permit ip host LOCAL_SERVER_NAT object-group REMOTE_SERVERS
and create another acl..something like this:
access-list inside_nat extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS
and use it for the static:
static (inside,outside) LOCAL_SERVER_NAT access-list inside_nat
access-list inside_nat_static extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS
to
access-list inside_nat_static extended permit ip host LOCAL_SERVER_NAT object-group REMOTE_SERVERS
and create another acl..something like this:
access-list inside_nat extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS
and use it for the static:
static (inside,outside) LOCAL_SERVER_NAT access-list inside_nat
dont forget your nonat command
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0
so the policy nat should have access-list from local ip to remote server
and
crypto acl ie. inside_nat_static should have entry for traffic from nat ip to remote server.
and
crypto acl ie. inside_nat_static should have entry for traffic from nat ip to remote server.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty.
Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month9 days, left to enroll
764 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.