Cisco ASA L2L VPN NAT option
hi Experts
With my Cisco ASA firewall there is L2L VPN connection with client network, my configuration quite similar with below link example, actually there is no any different with this option or not
nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup
I curious why is that? how can I make it effect?
thank you
Last Comment
ASKER
hello arnold
I mean with or without the NAT option the connection between both sites no different, connection keep available.
and my ASA version is 9.10(1)42
thanks
I mean with or without the NAT option the connection between both sites no different, connection keep available.
and my ASA version is 9.10(1)42
thanks
I do not understand.
What are your eying to do?
It us difficult for me to get youhave and are trying to achieve.
Are you trying to have an IP on the local side that connects through the VPN to another?
Or you are trying to overlay the remote LAN?
When you post a single line as you have with undefined objects it is a guessing game.
What are your eying to do?
It us difficult for me to get youhave and are trying to achieve.
Are you trying to have an IP on the local side that connects through the VPN to another?
Or you are trying to overlay the remote LAN?
When you post a single line as you have with undefined objects it is a guessing game.
ASKER
hi arnold
sorry make you confused, let me make it clear, below is relevant VPN configuration on my ASA firewall
object-group network HY_Subnet
network-object 10.255.30.128 255.255.255.192
object-group network Internal
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
access-list HY extended permit ip 10.160.0.0 255.255.0.0 10.255.30.128 255.255.255.192
nat (inside,outside) source static Internal Internal destination static HY_Subnet HY_Subnet no-proxy-arp route-lookup
route outside 10.255.30.128 255.255.255.192 x.x.x.x 1
crypto map outside-map 10 match address HY
crypto map outside-map 10 set pfs group5
crypto map outside-map 10 set connection-type originate-only
crypto map outside-map 10 set peer y.y.y.y
crypto map outside-map 10 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside-map 10 set security-association lifetime seconds 28800
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 am-disable
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ikev1 policy 11
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto ikev1 policy 12
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 13
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
sorry make you confused, let me make it clear, below is relevant VPN configuration on my ASA firewall
object-group network HY_Subnet
network-object 10.255.30.128 255.255.255.192
object-group network Internal
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
access-list HY extended permit ip 10.160.0.0 255.255.0.0 10.255.30.128 255.255.255.192
nat (inside,outside) source static Internal Internal destination static HY_Subnet HY_Subnet no-proxy-arp route-lookup
route outside 10.255.30.128 255.255.255.192 x.x.x.x 1
crypto map outside-map 10 match address HY
crypto map outside-map 10 set pfs group5
crypto map outside-map 10 set connection-type originate-only
crypto map outside-map 10 set peer y.y.y.y
crypto map outside-map 10 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside-map 10 set security-association lifetime seconds 28800
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 am-disable
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ikev1 policy 11
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto ikev1 policy 12
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 13
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ASKER
connection between 10.160.0.0/16 and 10.255.30.128/26 without any issue.
remove
nat (inside,outside) source static Internal Internal destination static HY_Subnet HY_Subnet no-proxy-arp route-lookup
connection between 10.160.0.0/16 and 10.255.30.128/26 still without any issue
so I think nat (inside,outside) source static Internal Internal destination static HY_Subnet HY_Subnet no-proxy-arp route-lookup is redundant? how can I make it effect?
hope you make sense this time.
thank you
remove
nat (inside,outside) source static Internal Internal destination static HY_Subnet HY_Subnet no-proxy-arp route-lookup
connection between 10.160.0.0/16 and 10.255.30.128/26 still without any issue
so I think nat (inside,outside) source static Internal Internal destination static HY_Subnet HY_Subnet no-proxy-arp route-lookup is redundant? how can I make it effect?
hope you make sense this time.
thank you
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
hi arnold
see below
ASA-01# sh run all sysopt
no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp outside
no sysopt noproxyarp inside
have it removed?
thanks
see below
ASA-01# sh run all sysopt
no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp outside
no sysopt noproxyarp inside
have it removed?
thanks
No sysopt connection permit-vpn
And the you will control through the
nat (inside,outside) rule
And the you will control through the
nat (inside,outside) rule
ASKER
ok, will try that later
thank you
thank you
ASKER
hi arnold
after "no sysopt connection permit-vpn" the nat (inside,outside) do not control the traffic, same as previous.
any ideas?
thank you
after "no sysopt connection permit-vpn" the nat (inside,outside) do not control the traffic, same as previous.
any ideas?
thank you
Try also exclude the reclassify-VPN line.
ASKER
hi arnold
not helpful. :(
thanks
not helpful. :(
thanks
Did you bounce the vpn?
Look at the config example you posted and your config"
Look at the config example you posted and your config"
ASKER
hi arnold
whats your mean bounce the VPN ?
thanks
whats your mean bounce the VPN ?
thanks
you can disconnet the tunnel to a specific peer
Clear IPSec sa peer <remore gateway ip of peer>
See when it reestablishes whether the changes Made make a difference.
Clear IPSec sa peer <remore gateway ip of peer>
See when it reestablishes whether the changes Made make a difference.
ASKER
hi arnold
still the same and looks like "sysopt connection permit-vpn" only affect the remote access client VPN, without it no matter how VPN filter or group policy or nat configured, remote client VPN have no any connection.
thanks
still the same and looks like "sysopt connection permit-vpn" only affect the remote access client VPN, without it no matter how VPN filter or group policy or nat configured, remote client VPN have no any connection.
thanks
ASKER
hi arnold
I found this, I have to present below configuration
access-list outside-acl extended permit icmp any any
access-list outside-acl extended permit ip VPN-Client-Sub any
access-group outside-acl in interface outside
to make remote access VPN works, and "no sysopt connection permit-vpn" only affect inbound VPN traffic, in another word, connection source from the other end to mine not available except I permit it in "outside-acl", but out outbound traffic there is not any limitation, I suppose the nat (inside,outside) should have it under control but not.
any ideas?
thanks
I found this, I have to present below configuration
access-list outside-acl extended permit icmp any any
access-list outside-acl extended permit ip VPN-Client-Sub any
access-group outside-acl in interface outside
to make remote access VPN works, and "no sysopt connection permit-vpn" only affect inbound VPN traffic, in another word, connection source from the other end to mine not available except I permit it in "outside-acl", but out outbound traffic there is not any limitation, I suppose the nat (inside,outside) should have it under control but not.
any ideas?
thanks
ASKER
hi arnold
do you have any solutions?
thank you
do you have any solutions?
thank you
I am unsure I understand what you are after.
The interesting traffic is what the tunnel will allow to enter and exit.
Only systems you configure will try to access resources on the remote LAN.
The interesting traffic is what the tunnel will allow to enter and exit.
Only systems you configure will try to access resources on the remote LAN.
ASKER
hi arnold
in my scenario the "nat (inside,outside)" is not operational to control VPN traffic, no matter have it or not there is no different, I thought and need it to be operational, how can I make it then?
thanks
in my scenario the "nat (inside,outside)" is not operational to control VPN traffic, no matter have it or not there is no different, I thought and need it to be operational, how can I make it then?
thanks
Once the sysopt directive bypassing nat for VPN traffic, the nat rule is what controls.
But you are saying new requests from the remote site work?
Commonly your ACL allows traffic from your side to go through the tunnel and the response to comeback.
But you are saying new requests from the remote site work?
Commonly your ACL allows traffic from your side to go through the tunnel and the response to comeback.
ASKER
hi arnold
let me make the question to simple, no matter have "sysopt connection permit-vpn" or not, "nat (inside,outside) source static Internal Internal destination static HY_Subnet HY_Subnet no-proxy-arp route-lookup" doesn't control the traffic.
with nat (inside,outside) option access from local to remote available;
without nat (inside,outside) option access from local to remote also available.
so lets don't considering access from remote any more.
thanks
let me make the question to simple, no matter have "sysopt connection permit-vpn" or not, "nat (inside,outside) source static Internal Internal destination static HY_Subnet HY_Subnet no-proxy-arp route-lookup" doesn't control the traffic.
with nat (inside,outside) option access from local to remote available;
without nat (inside,outside) option access from local to remote also available.
so lets don't considering access from remote any more.
thanks
Based on the information available, I am unclear what allows the traffic passage.
The link in a way discusses the VPN setup.
Your setup includes something that impacts this.
The link in a way discusses the VPN setup.
Your setup includes something that impacts this.
ASKER
hi arnold
you need the full configuration?
thanks
you need the full configuration?
thanks
Possibly, thought the sysopt answered the call.
But can't think of what other setting, cobfiguration you might have that impacts this behavior.
Possibly 10.0.0.0/8 is defined local ip block.
But can't think of what other setting, cobfiguration you might have that impacts this behavior.
Possibly 10.0.0.0/8 is defined local ip block.
ASKER
thank you
Networking
Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.
102K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Which Version of ios is running on your ASA?
The example if for Cisco ASAv running 9.12(3)9